Agreed. he did make a brief mention, "if you are cynical". Well, yeah, am. Duh. He totally white-washed this. With TPM, manufacturer has way to send info to and from your computer and you can't see it. No thanks. I'll use encryption -- for sure -- but on my own terms and will trust only the physical as a root of authority. That means, when I use my own TPM, I buy from another source, add my own random number in the root, and then add to system. He totally could have got into that but no, didn't talk about TPM as a physical pluggable module. AKA : The mike has done a disservice.
@@kippie80 It was very disappointing. Not only brushing over the severe defects in this system, but repeating the marketing hype of "it makes a system secure" as if it were true. "Secure for whom" is a crucial part of that which was left out.
TPM's sounds like the ideal method of building in a hardware backdoor to all system crypto. All undetectable to the upper-layer OS. There have been plenty of examples of using 'trusted' systems to install otherwise untrusted code, and I have no doubt that this will (or has) happen(ed) on TPM.
You don't need a TPM for this. Secure boot is enough since the private keys for signing software got leaked. In theory you could rootkit a Windows (and other OSes) installation without any part of the boot process (UEFI, boot loader, operating system preloader, OS) noticing that something is wrong.
Well why start there, we already have hardware randomness on cpus and hardware crypto on cpus, so why not just implement it there instead of requiring a whole module for it
Umm.. Alright sounds cool.. can we get it so it's bound to a flash drive. So if any device breaks we just take that with us? And we'll I hope what you mean by the DRM thing is that I can store movies on a local machine or on a computer on my local network. I haven't watched the video yet so personally I don't see TPM allowing DRM content being local
There is a random number seed that is hard coded into the TPM in the factory, I can not see how that could ever be abused. Everybody just needs to TRUST that the factory where the Trusted Platform Module was manufactured did not keep a copy of the EPS (Endorsement Primary Seed) that was hard coded in the chip. This seed is used for generating the EK which is associated with the Endorsement hierarchy.
This is not necessarily the case. In the world of software we are used to pseudorandom number generators that appear random but are ultimately deterministic and rely on a seed. In hardware we suffer no such restrictions. Indeed, if a TPM is being used for cryptographic functions it should contain a cryptographically secure random number generator. It's not uncommon for such generators use some physical source to generate 'true' (or at least non-deterministic) random numbers. The TPM could, for example, use such a source on first boot, write the result into a register and blow fuses to make it permanent. If done correctly then both the manufacturer and designer would have no knowledge of each chip's key. Even if such a generator has an initial seed, the next state can't be determined using it alone. Examples of 'true' random number sources include radioactive decay, quantum weirdness, electrical noise on supply rails, temperature/sound (e.g. tenth decimal place), etc. There's a whole field of research around 'physical uncloneable functions' which might also be of interest.
They'd also have to figure out exactly whose computer it went into.... and, since you can move hard drives from machine to machine, that it was even done with the TPM in the current computer. It's not really an issue aside from manufacturer-direct prebuilt machines.
TPMs make me nervous because a hardware failure could render me unable to access my own keys and data. That seems more likely than a black hat hacker pulling off a root kit on my OS.
It's pointless regardless. There are many ways of solving this problem. A password you have to provide on startup of anything that decrypts those keys would probably be the best idea since 1. You're not relying on that hardware, 2. You don't need any external hardware. I'm pretty sure this is what Linux already does with it's "Keychain" technology.
Likelihood depends. Are you a soccer mom or are you a state senator on a national security committee? Are you a fireman or are you an engineer at Lockheed? Your viability as a target depends on what you do and what hackers want. There are many hackers who wouldn't target a state senator but would go after a soccer mom because they stand to benefit more monetarily. You never know when you're a prime target, even when you're just an ordinary Joe. Your concerns are still valid though.
Real question: Does windows have a bitlocker alternative for full drive encryption? I ask because it isn't fun to enable when dual booting ... windows detects a root of trust compromise and I get to log into my Microsoft account to enter an alphanumeric phrase to log into windows to disable bitlocker drive encryption. Fun!
No, if you use Bitlocker at the exception if your drive die, there are no issue to get your data back. The Bitlocker key is not saved inside the TPM, it use the TPM to cipher it, the ciphered version of the key is readable on the drive. Then use the TPM at boot to uncipher it and use it (i.e the cleartext key is not saved on the TMP) As always as Bitlocker works, obviously Windows will let you backup your Bitlocker key (nobody said you can't put your drive in an external enclosure and use your recovery key to uncipher it) As for information, if your Windows account is not a local one, but an online one, by default Microsoft backups your keys online for you (in others words, they backup end users as* 😁) So yes, no worries, IT engineers aren't dumps, Bitlocker exist for years, that's a stable product 😁 Btw, so far Bitlocker has always been reserved to the Pro version of Windows, I'not sure it will be included by default on W11? Windows has a lot of different security usage of the TPM (secure boot, virtualization security based, ...) TPM is "just" a secure cryptographic vault, how it is used by OS(s) and software are only limited by imagination and current technology (yes secure boot is supported by Linux for years 😁) In all case, regarding the data, backups is the first of all rules!
As always...this is quite informative. In my industry (cinemas) we have this dreaded thing called the "KDM" (Key Delivery Message) where by a content creator is issued a certificate that allows them to make a key to allow their content to play on your server for a specified amount of time (based on a start/stop date/time)...the KDM can put restrictions, naturally on what devices may be used on the TDL (Trusted Device List) though mostly it is just the server's mediablock but it could include the projector and even the sound system, in the case of Dolby Atmos. My concern about TPM is from what I've experienced for over 10-years now where the security becomes a bottleneck in free-use of one's equipment. At some point, TPM will require that there is a communication between software/applications and the TPM for keys to be handed off, wrapped stored requested, used...etc. There is plenty of opportunity for legitimate systems and software to cease working or randomly work or not work and due to the security. At what point are people more concerned about the need for TPM versus their need to get things accomplished? Even such low-end security like HDCP cause no end of grief by legitimate equipment fumbling on key handoffs/repeaters and even simple sink/sources periodically blanking the screen/sound.
Exactly! I'm glad to see some existing real-world concerns backing up the theoretical ones. I was also wondering about HDCP, and how it might interact with TPM to make something even worse.
The nature of PCRs is such that they really aren't practical past the point where software stops executing in a predictable order. So they're great for measuring the security state of the boot process for unsealing a disk encryption key but nearly useless for most of the DRM nightmare scenarios that were predicted by the FSF (and resulted in the tools in Linux being several years behind those on Windows). Also the policy language for TPM2.0 is specifically pretty complicated to make it possible to write robust policies that are updateable to deal with upgrades to the system.
it all comes back to trusting those chips (and their vendors) and the programmers of the software required to operate them - and it adds even more complexity to a non-trivial topic
If TPMs get really popular there will be an open source version too where hard- and software is freely accessible. For random number generators, this already exists (see OneRNG for example). As mentioned in the video, the standard is viewable by anyone. This means if you are exceptionally paranoid, you can make your own hardware.
@@radio4active - Hardware that will have to conform to standards that will ultimately rely on some very complex mathematics that aren't publicly known to be insecure. Black project aircraft? why not black project mathematics? haven't some older algorithms been shown to be weak? don't governments have super-computers?
@@radio4active and indeed this is a problem. Imagine you're working for a human rights NGO that has just uncovered the Pegasus surveillance scandal, and that you want to help human rights defenders around the globe to protect themselves. You will now have to offer them a way to modify their own hardware, instead of software.
So, once we start relying on TPM, don't we basically create a single point of failure (or vulnerability)? Which even worse than usual, can't be patched to fix vulnerabilities, by design
I don't think so because the alternative is to have no security at all. Without TPM, if you have physical access to the machine, you can just boot a Linux system with a USB stick and do whatever you want to the primary OS. If you manage to defeat the TPM, it just means that you go back to how stuff were done before. (At least it's how I understand it, I'm no expert)
@@zaandam0172 yes I was using veracrypt to encrypt my SSDs, even the system partition. But TPM is better because you can use windows hello. You can buy a usb fingerprint reader for your desktop and your laptop most likely has a fingerprint or 3D face unlock. It saves time trying to type a long password.
@@uncannysnake Since they are probably manufactured in China or Taiwan, I don't thinks so no May I add it is likely that Bitlocker will not be included in W11 home edition anyway, the feature has always been reserved for Windows Pro version so far TPM is not only used for Bitlocker, and the others kind of protection it offers, is the opposite of what you think, since it offers runtime security of the OS, CIA probably do not want it, they surely right now thinking on how to overcome Windows features that leverage them
@@LordNementon This really is a comment beyond saving. >CIA probably do not want it If they would not love it, it would not exist. There are agreements in place that every big software and hardware manufacturer in the US must provide government backdoors. You are obviously not aware of this or doubt it is real. It is and you need to look this up ASAP to become informed.
I normally love these videos, but this was the most convoluted explanation of how the TPM works, and I already understand it. And this is a rare case where the graphics did very little to help.
So glad that Computerphile decided to cover this topic. I found the video somewhat useful, but it doesn't clearly explain the full topic. Either that or TPM's are a flawed idea, cos it seems like just begging the question
All the security in the TPM is that you cannot do any non-destructive attacks to extract the root key, or bypass the need to do so in order to extract any other information from it. Userspace programs won't use the TPM for much really, they'd ask the operating system to do the encryption and everything. The TPM doesn't come into play for regular application developers. OS kernels, bootloaders and bare metal hypervisors are the only clients. Bitlocker. I've noticed that booting Windows through Grub when I initially set it up directly will fail the check and force me to insert the recovery key (or to shut down)
When was the last time you generated a key with pencil and paper? 😈 just teasing. But actually my brother worked on a security device that works in this way and the “root key” was not generated by the manufacturer, it was actually derived from the physical characteristics of the silicon itself which guaranteed it to be truly random and truly unalterable/unable to be replicated. I don’t know anything about the TPM spec, but I wonder if it’s doing something similar 🤷🏻♂️
@@leviathan7477 oh, this sounds like a PUF (physically uncloneable function). They're quite interesting, and I got to learn a little about them this past spring. The basic principle is that you send a PUF a challenge, and it gives a response. One example of this is a metal resistance PUF. You have an array of metal interconnects on the chip, and the challenge is used to select one of them. There is a higher voltage at the top of the metal interconnect and a lower voltage at the bottom. The greater the resistance of the interconnect (which is determined by manufacturing variations), the lower the bottom voltage. Each voltage is used to power a separate long chain of inverters. A pulse is generated at the start of the bottom inverter chain, and after a small delay, it is also sent to the top inverter chain. Because the top inverter chain is powered by a higher voltage, the pulse will propagate down it faster and eventually pass the pulse still propagating through the bottom chain. The chip measures how many inverters it takes for this to happen and uses this number to produce the response. The idea of PUFs in general is that an organization records responses to many selected challenges during an "enrollment" phase and then later, during normal operation, can send those same challenges to the device in the field and check its response to verify that it is actually the device (and not someone trying to impersonate it). In practice, this is difficult, because physical characteristics of silicon change depending on temperature and voltage, but there are ways to compensate for this (essentially by using a few bits of helper data to "error correct" the response to the one recorded during enrollment). My professor was somewhat skeptical of PUFs, though. Who's to say physical characteristics of silicon are truly random? With a better understanding of the manufacturing process and device physics, perhaps we will be able to correlate manufacturing variations in one part of a chip with variations in another and predict PUF responses.
Well, the tpm isn't in the motherboard, it's located in the cpu or plugged into a header on the motherboard. But yes if you were to change the cpu or the chip then it would be unreadable. The way you avoid this is by decrypting all the data before you change the cpu or tpm, then rencrypt it again after you change parts.
@@mr_biscuit Which is fine, if annoying, if it's a planned update, but what happens if my motherboard fails and I have to replace it without being able to decrypt everything first?
Initially yes, but you get a recovery key when you encrypt your Windows drive. On a new motherboard, you get prompted to enter the recovery key which then gets stored in the TPM and is used to decrypt the drive. Lots of people are unnecessarily freaking out about this, but TPM based Bitlocker drive encryption has been a thing in Windows for a long time, primarily used in enterprise. I use it myself, and have had no issue in the past taking a Bitlocker encrypted drive, putting it into an entirely different system and booting it up with the recovery key.
@@t_z1030 how does a recovery key work with encryption in hardware if the hardware used to decrypt isn't known at the time the recovery key is created?
Isn't this all a ploy to get more Digital Restrictions Management and licence enforcement into our machines? Apart from the obvious (EDIT: comparatively minor) problems of the vendor-supplied Endorsement Key with which the computer can be uniquely identified. I'm not really keen on having 'security' with keys and dedicated chips outside of my control.
@@DerUnbekannte As in the other thread, just wanted to say that the identifiability is not really what I'm bothered about, since there's already many ways to fingerprint a system.
And what make you think that? You can go for a Linux system, but even there not using a TPM and secure boot is today, was yesterday and will even be more tomorrow an extremely bad idea It's long time Microsoft let you run it's OS without activating it, it just borrow you some recall messages as WinRAR does, but what the point of not paying your Windows license?
Is the "root key" burned into the tpm and unchangeable? Is "Secure Boot" related to the tpm? Can you do a video on "Secure Boot". Why do linux distros need to have microsoft sign their "bootloaders"? IMO, it sounds like in order to trust the tpm, you need to trust the person that generated the "root key". If that person is not you, then you can't claim it's security in your interest. It's like the browser trusted root authorities regime... faced with advanced state actors, it provides zero security.
Yes to both -- there's a TPM-unique secret key set by the chip manufacturer, and TPM is used to implement UEFI Secure Boot. And it's not only your opinion, but simple fact that one would need to trust the TPM manufacturer, ain't that grand?
@@DerUnbekannte Of course you have to trust the hardware to not contain backdoors. I merely pointed out that a technology specifically meant for security doesn't give any if its main key is determined by a third party. What are you arguing for?
@@Oquasinus the question is what are *you* arguing for. if you think hardware is compromised, then that's already the case now. how would adding tpm's be less secure? for the vast majority of cases, a tpm strengthens the security model considerably.
This will make changing drives and MoBos a nightmare. Don't setup both ends right for a hardware change, you now lock yourself out of access. Gone is simple hardware swaps.
Absolutely. I forsee a lot of irretrievable irreplacable files destroyed due to this. It's just a matter of time before someone permanently loses access to crypto coins, family photos, receipts and videos and so on.
@@JayVal90 yeah, but Apple isn’t as snarky and proprietary on Mac… You still have a little bit more control over the system and it’s also way more secure and durable than Windows is… Even if you can’t interchange parts I think it’s still more trustworthy…
@@prestonferry On Macs, you quite literally have the exact same problem that @Jandra Elune said in their original comment. If you remove the SSD on a mac, you basically brick the machine because of the T2 chip. Remember how iPhones refuses to boot if you replace the camera? How do you think this is accomplished... If anything, they are _way_ more snarky and proprietary because you can't even buy a new T2 chip if it breaks. Anyone can buy a new TPM or SSD if they want to and installing them is trivial. You can even take a compatible TPM to a new machine, with the same drive, and keep all of your data encrypted in the process.
"In a nutshell" a TPM is admitting that we've failed at security, that we're not going to even try, and we're going to use it as a convenient excuse to identify and restrict your use of your PC.
Nah, TPMs are an important part of platform security, and a properly designed one should not leak trackable information into user space, but they're solving separate problems
@@mr_waffles_the_dog And a properly designed one shouldn't have a problem with complete user control, but I don't really see evidence that this "important part of platform security" is being designed with users owning their own system in mind. In fact, everything I've read so far is that it's often going to be used in controlling what the user can do. My comment, however, was addressing the fact that appropriate security at the OS level would eliminate the need for this implementation of TPM --- and the fact that we'd failed at that is why some in the community are acquiescing to their existence. The next (or the current) challenge in computing is: "who _really_ owns your computer" ...
@@randomscribblings Appropriate security at the OS level *cannot* stop someone with physical access to the machine, the TPMs address that attack vector, they further isolate important keys from the OS itself. Which is a defense against the OS itself being compromised. I can't speak to PC TPMs but on a Mac you can disable trusted boot at a partition/OS granularity. Disabling it requires access gated by the SEP in a separate boot mode, and toggling protection effaces a bunch of critical keys (things like the credentials for Apple Pay, Touch ID, etc).
@@mr_waffles_the_dog Meh. Secure boot doesn't require TPM. With public key crypto, the OS simply doesn't boot an unsigned OS. This is a red herring and not an interesting use of TPM. We've had secure boot for awhile _without_ it requiring TPM. Secure boot is simply a gateway drug to get you to accept TPM. Similar to the OS being hacked, TPMs don't really address the OS asking the TPM to sign things that shouldn't be signed. A compromised OS is catastrophic for security. And by asking it to sign chosen plaintexts, it could quietly use the system's on GPU (say) to hack on the security of the TPM itself. But simply put: secure boot can be easily solved without TPM. TPM doesn't solve new problems ... unless the problem is user control.
Yes! This just screams "Multiple future Blackhat talks" and at least one wikihow on "replace your TPM with the number "4" [selected using the fair role of a die.]"
They've been having a go at TPMs for over a decade. There's been the odd talk about poor implementation from manufactures (e.g. ROCA, TPM fail), but that's nothing new in the security domain. TPMs have a really strong record for doing what they're designed to do and nothing more.
Or exploit the TPM to add a trampoline to return it's key when asked to wrap 0xdeadbeef, disable sealing keys, wait a week, and then exfiltrate all your (now unsealed) keys through other, more easily exploitable software?
3 ปีที่แล้ว +4
Probably the operating system will set things up so that only it can talk directly to the TPM, and that arbitrary software can't. The OS will of course try to only talk to the TPM in a secure way. Then UEFI Secure Boot is supposed to be used to ensure nobody has tampered with the operating system itself.
@ If man can make it man can break it. This sounds like the "chip" credit cards, they cracked that within a week of it being on the market... What this is REALLY about is letting Microsoft control your computer so they can encrypt and send anything to themselves from your computer they want without your knowledge. You HAVE to hand over the encryption abilities hardwired into your computer to windows meaning they can do whatever they want without your knowledge. There's a cost for Windows being "FREE", and it's losing the last shreds of privacy you had.
@@jetjazz05 Dude, they make the OS Having a TPM isn't going to magically mean they can access more of your data. If they want, they can already access all of your data
Looks like eventually OS vendors want to limit what programs you can run. (Also for DRM reasons.) More or less like macOS already does, except for now their fallback is to just run the program.
Security and usability are an inverse relationship. The more security that gets implemented in computers the more important it becomes to have a backup or three (preferable air-gapped) of your data someplace for when the computer suffers some sort of corruption or failure and everything becomes unrecoverable.
@@UltimateAlgorithm Great MS is just one of the evil players. Best defense, Pol Pot did nothing wrong there were those other guys too that did it before.
Have TPM built in keys ever been supply chain compromised? What is stopping the TPM manufacturer from recording which key is written to the OTP bits on chip xyz0001 ?
@Øivin Fjeldstad how do you recommend operating a PKI? If you were to deploy some IoT devices...what hardware would you use. Would you operate your own CRL and Certificate lists to manage the x509 certs? Would you conduct your own initial provisioning of devices? How would you boot an IoT device securely? What if the IoT device doesnt have an OS? I understand these are very open ended questions, but I am curious about your take on any/all of these questions.
@Øivin Fjeldstad could you please just stop lying. It is not just one layer. Simply because nothing stops anyone to "use it as the only layer and ignore the others". This is just a tiny fragment of set of issues one may have with TPM. And I will not waste my time explaining why exactly all of a sudden so many security experts, whistleblowers, ... never said a single word about the need for everyone to have "some dedicated hardware security life saver".
Virtualization can make the boundary between hardware and software fuzzy, wonder how that plays into this. Will a hosted system be able to tell whether it's talking to a real TPM? What happens when your friendly neighborhood ransomware vendor takes over your TPM? Do you get to use your computer again ever?
The TPM is implemented in hardware and presumably has no persistent storage. There is nothing to take over. As for VM's there is no real concern. If a guest OS gets pass-through access to a real TPM, great, then the guest OS can enjoy the benefits of increased security. The guest OS is just software running on the host OS. That guest OS can only impact the security of the host OS in the same way that all other software on the host OS could. If the guest OS is only given a software TPM then that could be an issue for the guest OS, but I would wager in most cases the user would be aware of this and the consequences are on the user.
@@Faladrin i thought he meant spoofing the tpm. if the system thinks it's talking to the real tpm but it's really a tricky program taking over the role.
The hosted system is able to know if the TPM is the same as the one before, because it cannot unencrypt without this. Man in the middle attacks are possible, but the TPM can help provide the check to prevent somes. Ransomware have way easier attack vectors than spoofing drivers levels components.
I feel like what I am hearing is that if my computer dies for some reason, all my data on the hard drive is SoL and irretrievable by software? Am I wrong? If so, I don't want that.
@@enochliu8316 Which negates the security of bitlocker and the tpm a bit, right? It means there is an attack possible from that side. I do have it configured that way, because you can take security so far it totally becomes impractical and prone to what Nezz mentions.
It depends. The way Apple did it, yes, 100%. It is soldered on the motherboard that that's that. If your PC has an embedded TPM, then you're in the same boat. If your PC has a separate TPM that you can remove, then you can put it in a new compatible computer and decrypt the drive. Depending on if you enabled secure boot or not, you might even be able to boot into Windows just fine. In practice with Windows 11, secure boot is also required, so your TPM will refuse to release the keys to your drive. In the end though, if your computer dies, it is very likely that your drive is to blame. SSDs have write limits, HDDs have mechanical components. Outside of fans and batteries which do not interact with the TPM, they will be the first to fail under normal circumstances. In other words, you should have an (encrypted) offsite backup of your data anyway.
If your HDD die for some reason, all your data are irretrievable ..., If your computer is infected by a ransomware some how, all your data are irretrievable, if ... just do (securly encrypted) backups, and start now 😉
@@LordNementon Negating the security provided by the TPM as those secure backups require the key to unlock them to be stored somewhere in a format that does not rely on the TPM.
Im sure it a dumb question, but if the computer is compromised by Mike, why cant he retrieve the key before it gets sent(or on route) to the TPM to be encrypted?
That's an attack that is possible. but you'd have to have already compromised the system. some of the imporant keys are set up before the system connects to the internet for the first time.
Well, you can trust them, but not necessarily the vendors who will build them, again think about the android phones that had viruses on them out of the factory.
It's really not. All you need to do is backup your windows using your windows 7 backup tool, and then open recovery and then choose restore using image. Might not be exact in the naming sense but you will basically have to do that. And, this is only required if you change your motherboard, otherwise not.
@@SahilP2648 You don't even need to do that. Windows gives you a recovery key when enabling drive encryption. If you change your hardware, you are prompted for the recovery key at boot time. Type it in, it gets stored in the new TPM, Windows boots, job done.
What happens if the TPM chip fails/goes defect, then you can say bye bye to all your encrypted data and DRM licenses, since a backup of the stored secret key isn't supported!?
@@ghume79 It's another nail in the coffin of universally usable computers which can run any kind of code that you would like them to run. Look up Cory Doctorow's talk about it, it's almost 10 years old now, but still highly up-to-date in a way...
Fascinating talk! My takeaway is: TPM transforms the task of "hiding" (securing) a single key into hiding multiple parameters. "Mike" has to work harder to determine how many and which key-value pairs are used to seal the TPM key. Because such parameters are set individually on each system, the reward of such labour also diminishes geometrically.
This. Can confirm, 5 months of Linux, never been happier, and I've been on Windows for over 20 years, even had the chance to witness the one version before 95, whatever it's called, lol.
It'd be pretty dumb to generate a key and then just pitch it off into the universe with no backup. Perhaps the client might need it again? Do you trust the bank not to spend your money? Why?
The chip manufacturers already know about all the undocumented processor instructions they built into your CPU that would allow them or whoever else knows about them to access and manipulate every bit of information in every part of memory, cache or register on your system any time they like, so if trusting them is a problem for you I hope you're not using a modern processor.
@@MagicPlants I trust the bank to spend my money because that's what they say they will do (hint: You're lending the bank money to do with as they please; you don't have "money in the bank", you have a promisory note from the bank to repay you; for this you used to be provided with 3-4% interest yearly, but now you lend them money for free. Thank the fed or your national equivalent)
Hmmmm just seems like a shell game of pushing the problem until you no longer know where the problem is, but it’s still there. If my legit software running on Windows can ask the TPM to decrypt the stored key for use, why can’t software that has compromised and gained execute permission on the system also just do that as well: ask the TPM to decrypt? Some software row hammers or in other ways gains access to a bit of memory it shouldn’t access and now has a key that is TPM protected. What keeps that malware from just using the TPM to decrypt ? The added points of failure are a bit worrisome because they were not explained: if I get a new motherboard or CPU , now will I. I longer be able to access my encrypted keys ?
I guess TPM is just for preventing various physical methods for extracting keys, as opposed to preventing misuse by the OS itself. If the OS is compromised, there is not much a TPM can do.
@@zyansheep Then it's quite useles. There is low risk that anywone breaks in to my home and tamper with the hardware on my computer, on the other hand it's connected to internet so it could be compromized by software and remote hackers. And I want to be able to upgrade and repair my computer, tampering with hardware and UEFI settings myself.
@@zyansheep there is something it can do, if the part that got compromised was part of the state you selected (no idea how that part works, maybe it's not doable)
@@lubricustheslippery5028 yeah, i agree. Having a secure (open source) OS which won't be as vulnerable to exploits is much better for most people. TPMs seem pretty useless to the average consumer imo.
Of what encrypted keys are you talking about? Your Bitlocker key? It's not saved inside the TPM, but ciphered with the TPM. You will have a backup of it as every Bitlocker users know. If your drive is compromised when it is up and running, you drive will be already unencrypted, Bitlocker protect against unauthorized access of lost or stolen drive. Anyway W11 home users will probably do not have access to Bitlocker, it has so far only be available for Windows Pro users and Microsoft do not have said so far that it will changes TPM is not only use for Bitlocker. Secure boot it is not an issue, it can always been disabled on BIOS/UEFI in worth of all scenario Others Windows security features that leverage the TPM, use virtualization to avoid any others software to access it's secrets (you can looks for Windows Virtualization based security), which protect "runtime" internal Windows secrets that do not survive a reboot, btw
8:10 Does this mean that if windows fails to boot and I can't repair it, that I can't restore the data from another install. Does the TPM require the exact install that I had before the crash?
So, with an active TPM, any sort of hardware failure will result in you losing pretty much everything? Be that a TPM failure, or motherboard, CPU, HDD etc. Sounds like a great idea, but also the cause of heartache.
Not necessarily. Most home users don't do full drive encryption. Just because you have an active TPM doesn't mean "whoops, every single byte of data you now have is encrypted now and forever". The Microsoft technology that does this is called BitLocker (can be used in conjunction with a TPM or not). If you have data that is "precious", or "irreplaceable", but not "secret", just store it in a place (or more than one) that isn't encrypted.
If you keep your recovery key, like the Bitlocker process insists you do so safely (and won't even begin until you make a resonable attempt at one method), then you lose nothing.
@@AdamReece87 This process sounds like it will be very easy to teach my grandmother and grandfather. Isn't it great how user-friendly, accessible, and stable Windows is these days?
My question is: aren't we already trusting our OS not to sent your data off to a third party? What's stopping a malicious OS from just using the TPM to do that? I suppose the TPM could have a button physically connected to it that needs to be pressed before the chip does anything to ensure user consent. Like on mobile security keys or the Titan M on Pixels. How many TPMs (particularly on consumer hardware) do that?
And this TPM is of course 100% open source so we can all verify precisely how trustworthy it is and that it doesn't leak any information that is not chosen by us or the NSA, right?
@@enochliu8316 so you say that preinstalled key is BSD-licensed? Is reference implementation the one an average person will get in their PC? Don't bother answering.
Concept of TPM has been lurking around for a number of years. I seem to remember some years back of claims of TPM posing a threat to Linux or other alternative operating systems.
Trust me, if something cant be accessed someone will find a way; it may only be in person but it had to be written to a chip at some point, so it can be read from and rewritten to again.
@@ss-xy2im Bitlocker key are not saved inside the TPM, they are ciphered by the TMP. The ciphered keys is readable on the disk Obviously any Bitlocker users will have access and will backup the secret or recovery key of their drive (you can looks on how Bitlocker works for more information) Bitlocker has always been only for Windows Pro users and will surely not changed with W11 TPM is not only used for Bitlocker (Secure boot, Virtualization Based Security) So no, you motherboard die, no issue with your drive data But if you drive die and you do not have backups, yes you will be screwed
I wrote a bootloader that loads encrypted binaries, but only if: Secure boot is enabled (disabling flips a PCR) My bootloader is loaded (again PCR) and my bootloader is signed with my private key (one of the PCR's changes when the secure boot key that's used changes) Only then will the TPM unseal it's decryption keys which are used to decrypt the binaries, which then load into memory. Before I jump to the OS I extend the PCR'S once more to re-seal the key, and then I boot the system. So here we are! Boot level DRM... DRM in de deepest layer of your system.
I am so friggin glad the commenters are calling out the misleading statements in this video with the shortcomings of TPM systems. I hope the channel editors can learn a thing or two.
Key phrase used there. Make sure your hardware is using "their software", not any software. These TPMs could very easily support secure open source operating systems. Do they?
Except you are wrong. Perfect security can and does exist. Data transmission by quantum entanglement is a great example but there are easier to implement security schemes that simulate this principle.
@@roberttalada5196 Except, that is also wrong. If someone compromises the supply chain of your quantum entanglement system then you run into the same issue with compromising the TPM.
Microsoft have been trying to push TPM for decades. It's been revised an poked around with. Microsoft as usual, so keen to make it inconvenient to run anything other than Nauseating Windows and Microsoft applications.
Are there any PCI cards (or USB dongles) out there for TPM 2.0 for motherboards that do not have the plug in location? I do not seem to be able to find any....
I can see this as a way to lock a program from being modified. If you go to modify a program with mods or to look as the assets or just poke around, the TPM can lock you out of even just looking at it on your own PC.
I still don't want tpm in my machine in regard how it would be implemented by companies that make this chips, what could be inside of them and what proprietary software would run on them
As, I've already said around here, Linux without secure boot is a terribly bad idea ... Don't make me believe all part of your computer use open sources firmwares ...
TPM is how corporations impose their keys on our systems which we cannot view in order to protect information they want to keep secure, not necessarily for our benefit.
When the key is unwrapped by the TPM, don't you then need to store that unwrapped key in the memory for the duration of the decryption cycle so that the CPU can use that key to decrypt the data? And doesn't this create the same problem again of having the key in memory?
So now when my motherboard dies I lose access to my entire installation? There should be removable TPMs that can plug into several motherboards to make installations portable between compatible chipsets
I have some (hopefully) constructive criticism about the way the first half of this video was done. If you disagree with me please do reply... I'd love to find out if this is just me (I have a question at the end of this comment for anyone reading this) I liked this video and I understood everything that was explained but that's because I've recently done some casual reading about TPMs and how they're used and about the chain of trust when booting up your OS. So that made it easy for me to follow along with everything in this video because it was mostly just me going "oh yeah, I remember reading that" and just nodding along. But I feel like a lot of the stuff explained especially in the first 3-4 minutes of the video - where Dr Steve is setting the scene of how different solutions for "keeping the key a secret" are actually just moving the problem up a few layers and **why** we need a TPM - are kind of rushed over quickly in a couple of short sentences with some quick and not very clear (albeit funny) graphics of Mike. For example: Dr Steve explained how someone could modify the OS to send the key to a malicious 3rd party. Or how the firmware could be modified to skip checks that verify the OS was not tampered with in any way and had malicious code inserted in it (I suppose he's referring to the secure boot feature? Not sure..). All of these concepts were rushed over in a few very quick sentences in one or 2 breaths. Maybe that part of the video could have been explained a little slower so that it could really help the audience understand the problem?... especially audience members who have never even thought about or read about stuff like full disk encryption and storing decryption keys on the system and the different ways someone could try to steal them (and therefore, why we even have things like secure boot or TPM in the first place). I feel like someone with less knowledge would just be left confused after listening to all of those very quick points and not really leave here with a proper understanding of WHY we need a TPM. The reason I'm writing this comment is actually because this isn't the first time I've felt this way about a computerphile video. There were a couple of times where I noticed how some arguably important parts of the explanations were rushed/mumbled over with very little diagrams/graphics and it left me more confused and unable to keep following along with the rest of the video because of all the questions in my head. Sometimes the videos just help re-enforce knowledge for someone who already had a basic understanding about the video's topic beforehand, but it doesn't really help someone who's new to the topic understand it very well (unless maybe they re-watch the video a couple of times). But maybe I'm overthinking this so I have an open question to anyone reading this comment. If you are someone who has a basic understanding of encryption but wasn't really aware of TPM or secure boot or anything else about storing a decryption key safely on a computer... after watching this video, did you feel like it painted a clear picture and answered your questions about what a TPM is and why we need it? Or did you end up more confused than when you first came here.
I for one had the intuitive knowledge of what TPM does to Bitlocker, and this video just reinforced and clarified that and allowed me to confirm the fact that the Apple T2 is just a TPM without the TPM API.
2 ปีที่แล้ว +2
Let's be honest, TPM will be used primarily by Microsoft as a copy protection. That's why this chip is required in order to run Windows 11.
Does a TPM even solve the problem? What is if the OS doesn't work as intended or has an exploit that makes it not use the TPM? Remember the TPM is used if you don't trust that the OS can keep the key secure, but you can only access the TPM through the OS. So instead of trusting the OS to keep the key secure you trust the OS to use the TPM without logging the key before the encryption and that the TPM doesn't leak the storage root key or the to encrypt key. That just creates an extra point of failure. Also what happens to your keys or encrypted drives if your TPM dies? You can't access your keys and encrypted data. You then should use a backup key? But doesn't make that the whole process obsolete? Please correct me if i am wrong.
You're not wrong. The key has to be in the clear at some point to be useful, and that makes it vulnerable. This is an attempt to minimize the size of that window, but at the cost of increased complexity and thus decreased reliability. I suppose the counterargument is that secure boot makes a root kit impossible, but I imagine we'll eventually find out that doesn't work either. Remember the speculative execution data leak? The more complicated you make a system the more likely it has a critical failure that you're not smart enough to see.
They are a horrible idea. If that TPM goes belly up, you loose access to all your data. If you don't have your recovery key, or lost it, or forgot the password for your MS account that you only used once 6 years ago, or enabled bitlocker without an MS account (you know, the stuff the average person has not clue how to deal with) .. well then, you've lost everything. And please, don't pretend this is a rare situation. I fix computers for a living. 90% of my customer can't remember a password they created a month ago and we have had 4 failed TPMs this year on computers that were encrypted with bitlocker. Only one of those remembered his MS account password. The other 3 had there lives ruined. Now MS are going to force those people that most vulnerable to enter into this horrible situation. This should only be used by people that have the equivalent of an IT department that can ensure it is employed correctly. A lot of people are going to have a lot of grief going forward. Mark my words.
You could say that about literally anything though. Do you trust all the software on your device you used to write that comment? Did any of it leak the keys used for TLS sessions? You probably don't know for sure.
@Matt You don't have to trust anything, your welcome to your choices. The point I'm making is almost everything we use has cases for and against being trustworthy, and given none of us build 100% of everything we use ourselves we're always going to be putting trust in someone else.
@Matt My point has been that TPM is no worse than anything else. Not intending to be "sneaky" and "dishonest", but I'm sure you'll read between the lines in whatever way you like. :)
@Matt No. What he's saying is, if you don't trust the TPM to be not compromised, then you don't trust the manufacturer. If so, why are you using their equipment at all?
To me it looks like I'll remain with Win 10 - but gradually move over to Linux as I get more and more software for it. Who asked for or wants TPM? Not 99% of Windows users I bet.
And most of these users already have it anyway. If you have purchased a laptop with Window 10 installed, you have this TPM chip, and you use it all the time.
@Øivin Fjeldstad Single point of failure. If the OS can set keys then there will be an exploit that an do it too. And everything will be gone, instantaneously.
Is it for security or to force new hardware sales. Will a CPU swap with say Intel PTT (Platform Trust Technology) make Windows 11 unbootable or loose activation.
I want an external TPM like device that works like a real key and lock - a machine only works when I physically plug the device in or NFC and the crypto-key never leaves the key device though it can be duplicated by an authorized third party key service (hardware store key cutting kiosk analog) and the same key can be used on multiple target devices (phone, laptop, desktop etc.) The design of this key device must not allow monopoly capture.
look up USB keys. and the FIDO protocol. its exactly what your looking for and everyone should have one. that way lazy peeps can finally stop using the same password for everything!
I don't want one. I don't want things keeping me from controlling my own computer. It's a PERSONAL computer. It's not Microsoft's computer - it's MINE. This is a total cop-out. GET YOUR OS RIGHT, GUYS. Come on.
So, you trust those three letters agencies' hold on the manufacturer of those TPM chips? Looks like putting all eggs in an untrusted, private, for-profit, closed-source, faceless basket. Why not simply have the master "TPM" key never stored, nor pre-allocated, by using an early, low-level, pre-bios/uefi, user-inputted, password? It won't solve all the problems surrounding TPM, but that's a much better way to "store" that key. On top of that, other keys derived from that pre-boot password could be used to encrypt storage and/or memory. Also, have that temporary master key held in the most volatile, physically hard to access, self-destructing if coerced or probed, isolated memory. Then the problem is no longer in the system, and the tech/system side of it is secure (not the human part though, but that's another can of worms).
the design/manufacturing of it is handled in a more "secure" way, similar to other "secure" chips like access passes or bank card chips. So it's less likely that someone snoops out any security holes, or back doors which they are able to hide because of all the secrecy...
Yeah, pretty much, you could most likely make your own because of the open spec. The thing is that there is physically no way to reprogram them, even if you have acces to the chip (you might be able to open up the IC and program through the die or whatever, but thats another point. It means that even if someone has acces to your hardware you still need to have extra acces to the tpm
@@SebBrosig this is simply not true. Secrecy/obfuscation does not result in better security. The TPM spec is an open spec, which means that anyone can find out how they work. This is in fact why they are trusted: there is no secrecy involved. It could be just a micro, it is an ASIC of course, but the hardwade isn't some weird obscure hidden thing. Same with bankcards by the way. Most bankcard specs are pretty well known
@@JoQeZzZ There is also something called fTPM, "Firmware TPM", where the firmware uses security features in the CPU (such as the AMD PSP or something in Intel that I forget) to implement the TPM. The root key is in the CPU itself.
This is the best explanation of TPM I've seen so far. One thing I still don't understand though is, how does it make it more secure in a practical sense, from a user's perspective?
and whats to stop a hacker from creating a virus that can access that function or wrapping and unwrapping keys just as a user might, and how about all of us that have no reason to use encryption keys for our e-mail or anything else that I know of. sounds to me like they just kicked the can just a bit further down the road and I fail to see how this is actually any more secure. if you need absolute security then you don't connect the computer to the internet.
TPM keys will be attacked as fast as the blue ray or other systems were attacked. It will be shared between so many companies and people that there is no way to guarantee the needed level of security to avoid determined attackers.
even if that happens, that doesn't reduce your security at all since the wrapped keys are still being stored in your system. they'd need root access to your system at the end of the day, which is the same as having no TPM.
ปีที่แล้ว
By this point (2021-07-23 when this video was posted) attacks against TPM had already been done, see Wikipedia. Well, WP lists the ones that we know of, we have no idea what NSA, GCHQ, et al are capable of.
Your TPM's key is only inside your TPM. An AACS key is inside every copy of that revision of that BD-player. DVD keys were weak because exporting hardware/software from the US with stronger encryption was equivalent to exporting bombs (PGP was classified as a munition). Unless you're sharing your computer with millions of people, a key wrapped/sealed by a TPM is about as hard/worthwhile to attack remotely as a key generated from /dev/hwrng and stored in /root/SuperSecretKey, or the encryption keys in your SIM card, or the keys used to digitally sign your passport.
You have to trust the OS regardless, what a TPM helps with is verifying/enforcing that subsequent boots are running the same OS as when the values were set, even if the computer was booted to some other OS or was potentially tampered with in the interim. For example Heads is a corelinux based bootloader that checks a PGP signature on the files in the boot partition, and and lets you know if those are still valid. Every time you update verification will fail and you need to re-sign things (the key lives on a security token, e.g. yubikey). If this happens unexpectedly then your computer might be compromised, because something on the boot partition changed. But that raises the question, how do you trust heads itself hasn't been compromised? For that it uses the TPM to do a measured boot and and seals a TOTP/HOTP secret with it at setup time, that you can put in a phone app. On every boot it tries unseals the secret, and then displays a 6 digit code that you can compare. If the code matches, then you are almost certainly running the same bootloader, and therefore can at least trust that, but if it changed then you know that the computer is compromised and therefore you probably shouldn't enter your disk encryption password. FWIW that bit is based on Matthew Garret's anti evil maid stuff, I think that was the first thing to implement TPM + TOTP? not sure...
@@forb291 If the OS does not communicate with the TPM, it won't be able to decrypt (unseal) the encryption key, meaning, your stuff will remain encrypted.
@@stoneskull But if you involve a TPM (or other key-bearing hardware device for that matter), the password is only part of the key material. Maybe that password is used to decrypt the key that is in turn used to decrypt your data. But however it works, if the TPM dies, you can no longer access your data, unless you have it backed up somewhere, either in the clear or encrypted with a key not protected by the TPM. So yeah, a TPM might secure the OS, but as far as I can determine, when it comes to your important data, it's either at the mercy of a piece of hardware that might fail, or not really protected by that hardware.
This has me very concerned. If a person installs a TPM chip onto their computer and their computer has 1-boot drive, 4 storage drives, 1PCIe USB expansion card, and a graphics card. If ANY of those hardware changes after the TPM is installed on the system, the owner is completely locked out of their system because the system won't boot. The TPM checks and makes sure that the same hardware configuration still exist every time the operating system boots and if it does not, then the owner is locked out of their system. This is horrifying in many ways. Lets say for example one of the 4 storage drives mentioned above dies or fails. The owner can not boot the system up because the (hardware) itself is not present. It died or failed. So if a person purchases a new storage harddrive aka hardware and installs it in their system to replace the failed storage drive. The system will not boot. Because the TPM will see that the system has a new hardware device that it does not recognize that has been added to the system. And the hardware does not match of that of the original hardware that failed. Thus the TPM will prevent the system from booting at all locking out the owner of such computer. This is a major problem. Even if the owner does not have a failed hardware, lets say the owner wants to upgrade their motherboard to a newer version, that the owner has been saving up for. Its the same brand, manufacturer and type of motherboard, just a newer more up to date version of it. The owner will not be able to boot their system because the TPM has locked the owner out of the system because there was a hardware change. This is a major major major issue. It has nothing to do with data stored on a drive as that is a completely different discussion. We are talking about hardware itself. TPM's protects hardware. And it records the hardware state of the system when you first install and activate the TPM. So while companies are pushing people to have a more secured system, it also comes with a barrel of nightmares. 🤷♀🤷♀🤷♀
11:11 is the only thing you need to know about it. Translation: it's got a backdoor embedded in it at manufacture-time that can't be removed or changed, which can be used to read ALL your keys and thus all your confidential data.
My workstation uses a server motherboard so I've had one of these installed for about a decade now...never used it like I should have thanks for this video!
Can't wait until a windows update changes some little detail that affects the system state used by the TPM and breaks all of the encrypted things you had.
@@jesseweigert6664 but how does windows update know where some of the sealed keys are? If I write my own program which uses the Windows API to have it ask the TPM to seal a key for me and then write that key into the hard Disk, how would windows update know that it needs to refresh that key on the disk as well since windows doesn't check all file I/O to mark any files that look like keys for later refresh?
@@reinei1 I don't know the specific details on how it works, but I do know that the security model in WIndows prevents you from mucking with the TPM directly without invoking UAC.
Gosh I miss when computers weren't used for extremely sensitive data like your banking and every interaction with the government. There was a time when it didnt really matter that much if your computer had viruses because you didnt use it for anything important and you could just wipe everything and start fresh. Putting our credit cards on our computers was really painting an x on our backs, and now you can't really function without it. Same kind of vulnerabilities we're getting pushed into with every device having camera and microphone built it, just adding more layers of bright red paint to the X and screwing up our choice architectures with our do anything wonder devices.
I really don't like the move by Microsoft forcing TPMs into not only OEM builds but DIY consumers also. Legacy and scarcity doesn't bother me as much as Microsoft forcing a baseline, which other software can then use to enforce DRM/anti cheat/etc - all consumer unfriendly. Let's be real, the threat model of an end user losing their keys in a software attack compared to a TPM are very close in terms of relative probability. It's simply not an attack that needs to be worried about, and even if it was, users should have the choice to worry about it or not. Other security measures like HVCI/VBS which actually may have an impact seem to be bundled up with the TPM news, making many people think they need a TPM to get the HVCI/VBS security benefits (which is not true).
What happens when you replace your motherboard (for any reason)? Now you have a new TPM with a new key that you weren't using with all your other things.
So basically it's the re-emergence of the 1990's dongle. IT technology seems to be a series of cycles claiming to be new but really just a slight change of something that was once around a few years ago.
The way they work now TPMs don't protect the end user, they benefit manufacturers and OS makers far more and can easily be abused by then with nothing the user can do about it.
@@BattousaiHBr Because they control the keys, which determine what is and isn't allowed to happen. You literally have to get a key from Microsoft if you want to install Linux on a computer with secureboot enabled.
@@Razumen you didn't answer the question. how do manufacturers control the key that is stored in _your_ computer? i'm assuming you didn't watch the video and just immediately commented here...
8:20 Why isn't if far more likely to change the state of the system beyond recognition by just some hard-to-retrace combination of updates and new software installs - rather than a malicious action? Just a single malicious piece of software may compromise the system and yet I don't see people reverting tens of new updates/programs just to decrypt a folder.
ok but why would I want to use a proprietary chip with severe vulnerabilities and a backdoored RNG algorithm when I could literally just use a password or a USB dongle with my encryption key on it
If TPMs are to become a thing, they MUST have open-source firmware and give complete control to the user. Under NO circumstances should it be possible for software to use the TPM to hide or restrict things from the user. Otherwise it can, and will, be used maliciously to *weaken* security.
Presumably those configuration registers on the TPM are written to at some point during startup. How is this done? It can't be the operating system writing them, because then a malicious operating system loaded on could just lie about them to trick the TPM into decrypting keys it shouldn't.
It's not worth the effort. The margins are tiny. The main problem is that your IC will not have shielded memory for physical security like the sort made by microchip.
Yes, but don't worry every piece of software are also aware about that possibility The exemple in the video, is just an exemple. Bitlocker full disk encryption of Windows kind of works like that, but not totally, users will always have a recovery key to uncipher their data. In the case of TPM changes, Bitlocker will just ask users to give it the recovery key, to reseal its key in the chip As btw, TPM is not only made to support full disk encryption, a lot of various security features can leverage on it, and yes Windows has multiple purpose for a TPM (Linux also support TPM, and they are also used in entreprises for years btw) As for information, Bitlocker has always been restricted to Windows Pro version, and will be for W11 (which is kind of sad imo for home edition users) So, if you never ear of TPM or Bitlocker before, you will probably not use Bitlocker under W11
So, it basically operates kinda like a sim card or the secure enclave for the iphone, storing secure keys and only giving out wrapped versions (optionally unwrapping the key for authenticated users). Thank you for this clear description. 🙂
what I really learned from this video is we can't trust Mike
Or, you can trust Mike to point out what's wrong with you :P
Agreed. he did make a brief mention, "if you are cynical". Well, yeah, am. Duh. He totally white-washed this. With TPM, manufacturer has way to send info to and from your computer and you can't see it. No thanks. I'll use encryption -- for sure -- but on my own terms and will trust only the physical as a root of authority. That means, when I use my own TPM, I buy from another source, add my own random number in the root, and then add to system. He totally could have got into that but no, didn't talk about TPM as a physical pluggable module. AKA : The mike has done a disservice.
@@kippie80 It was very disappointing. Not only brushing over the severe defects in this system, but repeating the marketing hype of "it makes a system secure" as if it were true. "Secure for whom" is a crucial part of that which was left out.
Yeah, that Mike Rosoft is one untrustworthy sneak.
Mike is love, Mike is life.
TPM's sounds like the ideal method of building in a hardware backdoor to all system crypto. All undetectable to the upper-layer OS. There have been plenty of examples of using 'trusted' systems to install otherwise untrusted code, and I have no doubt that this will (or has) happen(ed) on TPM.
I would bet that the NSA loves the TPM
You don't need a TPM for this. Secure boot is enough since the private keys for signing software got leaked. In theory you could rootkit a Windows (and other OSes) installation without any part of the boot process (UEFI, boot loader, operating system preloader, OS) noticing that something is wrong.
Honestly, pretty much any BIOS at all can be corrupted into a backdoor.
The intel management engine runs MINIX and is pretty well known for being a hardware backdoor.
Well why start there, we already have hardware randomness on cpus and hardware crypto on cpus, so why not just implement it there instead of requiring a whole module for it
Can't wait until TPM is used to enforce per-device DRM licenses.
Do not give them ideas
Computer-as-a-service has begun
Calm down Satan
Umm.. Alright sounds cool.. can we get it so it's bound to a flash drive. So if any device breaks we just take that with us? And we'll I hope what you mean by the DRM thing is that I can store movies on a local machine or on a computer on my local network.
I haven't watched the video yet so personally I don't see TPM allowing DRM content being local
Google already does a similar thing with chome the tpm on a chrome book validates the device
There is a random number seed that is hard coded into the TPM in the factory, I can not see how that could ever be abused. Everybody just needs to TRUST that the factory where the Trusted Platform Module was manufactured did not keep a copy of the EPS (Endorsement Primary Seed) that was hard coded in the chip. This seed is used for generating the EK which is associated with the Endorsement hierarchy.
Or trust that they did not send a copy to powerful interested parties
You have trust loads of things in that chain. Although if you are trying to defend against NSA/GCHQ the TPU is probably not for you.
This is not necessarily the case.
In the world of software we are used to pseudorandom number generators that appear random but are ultimately deterministic and rely on a seed. In hardware we suffer no such restrictions.
Indeed, if a TPM is being used for cryptographic functions it should contain a cryptographically secure random number generator. It's not uncommon for such generators use some physical source to generate 'true' (or at least non-deterministic) random numbers. The TPM could, for example, use such a source on first boot, write the result into a register and blow fuses to make it permanent. If done correctly then both the manufacturer and designer would have no knowledge of each chip's key. Even if such a generator has an initial seed, the next state can't be determined using it alone.
Examples of 'true' random number sources include radioactive decay, quantum weirdness, electrical noise on supply rails, temperature/sound (e.g. tenth decimal place), etc.
There's a whole field of research around 'physical uncloneable functions' which might also be of interest.
They'd also have to figure out exactly whose computer it went into.... and, since you can move hard drives from machine to machine, that it was even done with the TPM in the current computer. It's not really an issue aside from manufacturer-direct prebuilt machines.
@. I'd you are talking about silicon it is not made in China, it's in Taiwan which is a whole separate country.
TPMs make me nervous because a hardware failure could render me unable to access my own keys and data. That seems more likely than a black hat hacker pulling off a root kit on my OS.
This or the factory OTP bits used for the TPM master key are all stored in a database linked to the motherboard's serial number.
It's pointless regardless. There are many ways of solving this problem. A password you have to provide on startup of anything that decrypts those keys would probably be the best idea since 1. You're not relying on that hardware, 2. You don't need any external hardware. I'm pretty sure this is what Linux already does with it's "Keychain" technology.
Likelihood depends. Are you a soccer mom or are you a state senator on a national security committee? Are you a fireman or are you an engineer at Lockheed? Your viability as a target depends on what you do and what hackers want. There are many hackers who wouldn't target a state senator but would go after a soccer mom because they stand to benefit more monetarily. You never know when you're a prime target, even when you're just an ordinary Joe. Your concerns are still valid though.
Real question: Does windows have a bitlocker alternative for full drive encryption? I ask because it isn't fun to enable when dual booting ... windows detects a root of trust compromise and I get to log into my Microsoft account to enter an alphanumeric phrase to log into windows to disable bitlocker drive encryption. Fun!
No, if you use Bitlocker at the exception if your drive die, there are no issue to get your data back.
The Bitlocker key is not saved inside the TPM, it use the TPM to cipher it, the ciphered version of the key is readable on the drive. Then use the TPM at boot to uncipher it and use it (i.e the cleartext key is not saved on the TMP)
As always as Bitlocker works, obviously Windows will let you backup your Bitlocker key (nobody said you can't put your drive in an external enclosure and use your recovery key to uncipher it)
As for information, if your Windows account is not a local one, but an online one, by default Microsoft backups your keys online for you (in others words, they backup end users as* 😁)
So yes, no worries, IT engineers aren't dumps, Bitlocker exist for years, that's a stable product 😁
Btw, so far Bitlocker has always been reserved to the Pro version of Windows, I'not sure it will be included by default on W11?
Windows has a lot of different security usage of the TPM (secure boot, virtualization security based, ...)
TPM is "just" a secure cryptographic vault, how it is used by OS(s) and software are only limited by imagination and current technology (yes secure boot is supported by Linux for years 😁)
In all case, regarding the data, backups is the first of all rules!
As always...this is quite informative.
In my industry (cinemas) we have this dreaded thing called the "KDM" (Key Delivery Message) where by a content creator is issued a certificate that allows them to make a key to allow their content to play on your server for a specified amount of time (based on a start/stop date/time)...the KDM can put restrictions, naturally on what devices may be used on the TDL (Trusted Device List) though mostly it is just the server's mediablock but it could include the projector and even the sound system, in the case of Dolby Atmos.
My concern about TPM is from what I've experienced for over 10-years now where the security becomes a bottleneck in free-use of one's equipment. At some point, TPM will require that there is a communication between software/applications and the TPM for keys to be handed off, wrapped stored requested, used...etc. There is plenty of opportunity for legitimate systems and software to cease working or randomly work or not work and due to the security. At what point are people more concerned about the need for TPM versus their need to get things accomplished? Even such low-end security like HDCP cause no end of grief by legitimate equipment fumbling on key handoffs/repeaters and even simple sink/sources periodically blanking the screen/sound.
Exactly! I'm glad to see some existing real-world concerns backing up the theoretical ones. I was also wondering about HDCP, and how it might interact with TPM to make something even worse.
The nature of PCRs is such that they really aren't practical past the point where software stops executing in a predictable order. So they're great for measuring the security state of the boot process for unsealing a disk encryption key but nearly useless for most of the DRM nightmare scenarios that were predicted by the FSF (and resulted in the tools in Linux being several years behind those on Windows). Also the policy language for TPM2.0 is specifically pretty complicated to make it possible to write robust policies that are updateable to deal with upgrades to the system.
Aren't you already trusting your CPU not to do that?
it all comes back to trusting those chips (and their vendors) and the programmers of the software required to operate them - and it adds even more complexity to a non-trivial topic
If TPMs get really popular there will be an open source version too where hard- and software is freely accessible. For random number generators, this already exists (see OneRNG for example). As mentioned in the video, the standard is viewable by anyone. This means if you are exceptionally paranoid, you can make your own hardware.
@@radio4active - Hardware that will have to conform to standards that will ultimately rely on some very complex mathematics that aren't publicly known to be insecure. Black project aircraft? why not black project mathematics? haven't some older algorithms been shown to be weak? don't governments have super-computers?
@@radio4active and indeed this is a problem. Imagine you're working for a human rights NGO that has just uncovered the Pegasus surveillance scandal, and that you want to help human rights defenders around the globe to protect themselves. You will now have to offer them a way to modify their own hardware, instead of software.
So in the only person that knows what key has been burnt into the TPM is the manufacturer ... and the people and governments they share that with.
it's an nsa backdoor, plain and simple
"Trusted Platform Module" count: 35
35 shots it is then 🥃
If he only had a convenient acronym to use instead....
"eggs all in one basket"
"Single point of failure"
"Backup intolerant"
lolololol
I think he won the bet :)
So, once we start relying on TPM, don't we basically create a single point of failure (or vulnerability)? Which even worse than usual, can't be patched to fix vulnerabilities, by design
I don't think so because the alternative is to have no security at all. Without TPM, if you have physical access to the machine, you can just boot a Linux system with a USB stick and do whatever you want to the primary OS. If you manage to defeat the TPM, it just means that you go back to how stuff were done before. (At least it's how I understand it, I'm no expert)
@@zaandam0172 yes I was using veracrypt to encrypt my SSDs, even the system partition. But TPM is better because you can use windows hello. You can buy a usb fingerprint reader for your desktop and your laptop most likely has a fingerprint or 3D face unlock. It saves time trying to type a long password.
Thats exactly what this is. One giant centralized CIA backdoor opportunity.
@@uncannysnake Since they are probably manufactured in China or Taiwan, I don't thinks so no
May I add it is likely that Bitlocker will not be included in W11 home edition anyway, the feature has always been reserved for Windows Pro version so far
TPM is not only used for Bitlocker, and the others kind of protection it offers, is the opposite of what you think, since it offers runtime security of the OS, CIA probably do not want it, they surely right now thinking on how to overcome Windows features that leverage them
@@LordNementon This really is a comment beyond saving.
>CIA probably do not want it
If they would not love it, it would not exist. There are agreements in place that every big software and hardware manufacturer in the US must provide government backdoors. You are obviously not aware of this or doubt it is real. It is and you need to look this up ASAP to become informed.
I normally love these videos, but this was the most convoluted explanation of how the TPM works, and I already understand it. And this is a rare case where the graphics did very little to help.
So glad that Computerphile decided to cover this topic. I found the video somewhat useful, but it doesn't clearly explain the full topic. Either that or TPM's are a flawed idea, cos it seems like just begging the question
All the security in the TPM is that you cannot do any non-destructive attacks to extract the root key, or bypass the need to do so in order to extract any other information from it.
Userspace programs won't use the TPM for much really, they'd ask the operating system to do the encryption and everything. The TPM doesn't come into play for regular application developers. OS kernels, bootloaders and bare metal hypervisors are the only clients.
Bitlocker. I've noticed that booting Windows through Grub when I initially set it up directly will fail the check and force me to insert the recovery key (or to shut down)
You still have to trust the root key. I don't trust any key I haven't generated myself.
this
When was the last time you generated a key with pencil and paper? 😈 just teasing. But actually my brother worked on a security device that works in this way and the “root key” was not generated by the manufacturer, it was actually derived from the physical characteristics of the silicon itself which guaranteed it to be truly random and truly unalterable/unable to be replicated. I don’t know anything about the TPM spec, but I wonder if it’s doing something similar 🤷🏻♂️
@@leviathan7477 oh, this sounds like a PUF (physically uncloneable function). They're quite interesting, and I got to learn a little about them this past spring. The basic principle is that you send a PUF a challenge, and it gives a response. One example of this is a metal resistance PUF. You have an array of metal interconnects on the chip, and the challenge is used to select one of them. There is a higher voltage at the top of the metal interconnect and a lower voltage at the bottom. The greater the resistance of the interconnect (which is determined by manufacturing variations), the lower the bottom voltage. Each voltage is used to power a separate long chain of inverters. A pulse is generated at the start of the bottom inverter chain, and after a small delay, it is also sent to the top inverter chain. Because the top inverter chain is powered by a higher voltage, the pulse will propagate down it faster and eventually pass the pulse still propagating through the bottom chain. The chip measures how many inverters it takes for this to happen and uses this number to produce the response. The idea of PUFs in general is that an organization records responses to many selected challenges during an "enrollment" phase and then later, during normal operation, can send those same challenges to the device in the field and check its response to verify that it is actually the device (and not someone trying to impersonate it). In practice, this is difficult, because physical characteristics of silicon change depending on temperature and voltage, but there are ways to compensate for this (essentially by using a few bits of helper data to "error correct" the response to the one recorded during enrollment). My professor was somewhat skeptical of PUFs, though. Who's to say physical characteristics of silicon are truly random? With a better understanding of the manufacturing process and device physics, perhaps we will be able to correlate manufacturing variations in one part of a chip with variations in another and predict PUF responses.
Agree
@@m5w5 Base on your description of a PUF implementation, how to avoid replay attack when the challenge is always the same?
If the keys are encrypted in hardware, wouldn't that make everything unreadable if you have to switch motherboards?
Well, the tpm isn't in the motherboard, it's located in the cpu or plugged into a header on the motherboard. But yes if you were to change the cpu or the chip then it would be unreadable.
The way you avoid this is by decrypting all the data before you change the cpu or tpm, then rencrypt it again after you change parts.
This is probably what the recovery key is for.
@@mr_biscuit Which is fine, if annoying, if it's a planned update, but what happens if my motherboard fails and I have to replace it without being able to decrypt everything first?
Initially yes, but you get a recovery key when you encrypt your Windows drive. On a new motherboard, you get prompted to enter the recovery key which then gets stored in the TPM and is used to decrypt the drive.
Lots of people are unnecessarily freaking out about this, but TPM based Bitlocker drive encryption has been a thing in Windows for a long time, primarily used in enterprise. I use it myself, and have had no issue in the past taking a Bitlocker encrypted drive, putting it into an entirely different system and booting it up with the recovery key.
@@t_z1030 how does a recovery key work with encryption in hardware if the hardware used to decrypt isn't known at the time the recovery key is created?
Isn't this all a ploy to get more Digital Restrictions Management and licence enforcement into our machines? Apart from the obvious (EDIT: comparatively minor) problems of the vendor-supplied Endorsement Key with which the computer can be uniquely identified. I'm not really keen on having 'security' with keys and dedicated chips outside of my control.
>with which the computer can be uniquely identified
I have some bad news for you bud :(
More like a plan for a few billion TPM keys generated in a factory to be given to the NSA so they can dictionary crack any communication.
@@DerUnbekannte As in the other thread, just wanted to say that the identifiability is not really what I'm bothered about, since there's already many ways to fingerprint a system.
And what make you think that?
You can go for a Linux system, but even there not using a TPM and secure boot is today, was yesterday and will even be more tomorrow an extremely bad idea
It's long time Microsoft let you run it's OS without activating it, it just borrow you some recall messages as WinRAR does, but what the point of not paying your Windows license?
Of course it is
Is the "root key" burned into the tpm and unchangeable? Is "Secure Boot" related to the tpm? Can you do a video on "Secure Boot". Why do linux distros need to have microsoft sign their "bootloaders"?
IMO, it sounds like in order to trust the tpm, you need to trust the person that generated the "root key". If that person is not you, then you can't claim it's security in your interest. It's like the browser trusted root authorities regime... faced with advanced state actors, it provides zero security.
Yes to both -- there's a TPM-unique secret key set by the chip manufacturer, and TPM is used to implement UEFI Secure Boot. And it's not only your opinion, but simple fact that one would need to trust the TPM manufacturer, ain't that grand?
@@Oquasinus ah yes, let's distrust the hardware manufacturer, you're so smart.
you're now using an abacus, congratulations
All vendors are idiots just need money they don't care if someone loses their data or compromise thier credentials
@@DerUnbekannte Of course you have to trust the hardware to not contain backdoors. I merely pointed out that a technology specifically meant for security doesn't give any if its main key is determined by a third party. What are you arguing for?
@@Oquasinus the question is what are *you* arguing for. if you think hardware is compromised, then that's already the case now.
how would adding tpm's be less secure?
for the vast majority of cases, a tpm strengthens the security model considerably.
This will make changing drives and MoBos a nightmare. Don't setup both ends right for a hardware change, you now lock yourself out of access. Gone is simple hardware swaps.
Absolutely. I forsee a lot of irretrievable irreplacable files destroyed due to this. It's just a matter of time before someone permanently loses access to crypto coins, family photos, receipts and videos and so on.
@@soylentgreenb this is why I hate Microsoft… I highly doubt it will happen but I really do hope Mac/Linux prevails…
@@prestonferry Mac? You can’t replace any hardware on a Mac.
@@JayVal90 yeah, but Apple isn’t as snarky and proprietary on Mac… You still have a little bit more control over the system and it’s also way more secure and durable than Windows is… Even if you can’t interchange parts I think it’s still more trustworthy…
@@prestonferry On Macs, you quite literally have the exact same problem that @Jandra Elune said in their original comment. If you remove the SSD on a mac, you basically brick the machine because of the T2 chip. Remember how iPhones refuses to boot if you replace the camera? How do you think this is accomplished... If anything, they are _way_ more snarky and proprietary because you can't even buy a new T2 chip if it breaks. Anyone can buy a new TPM or SSD if they want to and installing them is trivial. You can even take a compatible TPM to a new machine, with the same drive, and keep all of your data encrypted in the process.
"In a nutshell" a TPM is admitting that we've failed at security, that we're not going to even try, and we're going to use it as a convenient excuse to identify and restrict your use of your PC.
Nah, TPMs are an important part of platform security, and a properly designed one should not leak trackable information into user space, but they're solving separate problems
@@mr_waffles_the_dog And a properly designed one shouldn't have a problem with complete user control, but I don't really see evidence that this "important part of platform security" is being designed with users owning their own system in mind. In fact, everything I've read so far is that it's often going to be used in controlling what the user can do.
My comment, however, was addressing the fact that appropriate security at the OS level would eliminate the need for this implementation of TPM --- and the fact that we'd failed at that is why some in the community are acquiescing to their existence.
The next (or the current) challenge in computing is: "who _really_ owns your computer" ...
@@randomscribblings Appropriate security at the OS level *cannot* stop someone with physical access to the machine, the TPMs address that attack vector, they further isolate important keys from the OS itself. Which is a defense against the OS itself being compromised.
I can't speak to PC TPMs but on a Mac you can disable trusted boot at a partition/OS granularity. Disabling it requires access gated by the SEP in a separate boot mode, and toggling protection effaces a bunch of critical keys (things like the credentials for Apple Pay, Touch ID, etc).
@@mr_waffles_the_dog Meh. Secure boot doesn't require TPM. With public key crypto, the OS simply doesn't boot an unsigned OS. This is a red herring and not an interesting use of TPM. We've had secure boot for awhile _without_ it requiring TPM. Secure boot is simply a gateway drug to get you to accept TPM.
Similar to the OS being hacked, TPMs don't really address the OS asking the TPM to sign things that shouldn't be signed. A compromised OS is catastrophic for security. And by asking it to sign chosen plaintexts, it could quietly use the system's on GPU (say) to hack on the security of the TPM itself.
But simply put: secure boot can be easily solved without TPM. TPM doesn't solve new problems ... unless the problem is user control.
Heck... secure boot can be solved (even) with read-only media. Did that back in 1995 with CDROM internet-router images as a product.
Those boys at Chaos Computer Club / Black Hat are going to have a field day.
Yes! This just screams "Multiple future Blackhat talks" and at least one wikihow on "replace your TPM with the number "4" [selected using the fair role of a die.]"
They've been having a go at TPMs for over a decade. There's been the odd talk about poor implementation from manufactures (e.g. ROCA, TPM fail), but that's nothing new in the security domain. TPMs have a really strong record for doing what they're designed to do and nothing more.
Ah yes ... Mentioning the CCC reminds me of the 80s when Mudge and L0pht Heavy Industries. Those guys were the bomb in the day.
Moments like 1:51 is what make these videos brilliant.
indeed, well said
"Some dodgy geezer called Mike."
Shots fired. And careful. Mike's already done all his arm exercises.
"I only joke, Mike doesn't use that web address to catch people's keys; He uses a different one."
TPM, interesting, possibly useful tech.
Making TPM obligatory… totally jerk move from corp well versed in making totally jerk moves.
What stops Mike (the villain of course) to send me a software that in background asks the TPM to unwrap my private key?
Or exploit the TPM to add a trampoline to return it's key when asked to wrap 0xdeadbeef, disable sealing keys, wait a week, and then exfiltrate all your (now unsealed) keys through other, more easily exploitable software?
Probably the operating system will set things up so that only it can talk directly to the TPM, and that arbitrary software can't. The OS will of course try to only talk to the TPM in a secure way. Then UEFI Secure Boot is supposed to be used to ensure nobody has tampered with the operating system itself.
@ If man can make it man can break it. This sounds like the "chip" credit cards, they cracked that within a week of it being on the market...
What this is REALLY about is letting Microsoft control your computer so they can encrypt and send anything to themselves from your computer they want without your knowledge. You HAVE to hand over the encryption abilities hardwired into your computer to windows meaning they can do whatever they want without your knowledge. There's a cost for Windows being "FREE", and it's losing the last shreds of privacy you had.
@@jetjazz05 Dude, they make the OS
Having a TPM isn't going to magically mean they can access more of your data.
If they want, they can already access all of your data
Looks like eventually OS vendors want to limit what programs you can run. (Also for DRM reasons.) More or less like macOS already does, except for now their fallback is to just run the program.
Security and usability are an inverse relationship. The more security that gets implemented in computers the more important it becomes to have a backup or three (preferable air-gapped) of your data someplace for when the computer suffers some sort of corruption or failure and everything becomes unrecoverable.
welcome to RMAing your mobo and losing your f'king life.
Somewhere
@@jetjazz05 Aka buying an Apple laptop
-usability- convenience ("usability" is too broad a term here)
Tying the OS to the hardware, can't wait for MS to brick a few million PCs with their ham-fisted efforts.
In case you don't aware, MS is the one playing catch up here with TPM thingies.
@@UltimateAlgorithm Great MS is just one of the evil players. Best defense, Pol Pot did nothing wrong there were those other guys too that did it before.
Have TPM built in keys ever been supply chain compromised? What is stopping the TPM manufacturer from recording which key is written to the OTP bits on chip xyz0001 ?
They could, but then is that machine any less secure than a computer without a TPM?
@Øivin Fjeldstad how do you recommend operating a PKI? If you were to deploy some IoT devices...what hardware would you use. Would you operate your own CRL and Certificate lists to manage the x509 certs? Would you conduct your own initial provisioning of devices? How would you boot an IoT device securely? What if the IoT device doesnt have an OS? I understand these are very open ended questions, but I am curious about your take on any/all of these questions.
@Øivin Fjeldstad could you please just stop lying. It is not just one layer. Simply because nothing stops anyone to "use it as the only layer and ignore the others". This is just a tiny fragment of set of issues one may have with TPM. And I will not waste my time explaining why exactly all of a sudden so many security experts, whistleblowers, ... never said a single word about the need for everyone to have "some dedicated hardware security life saver".
@@michaels8297 what is the point of asking a person about security if that person either intentionally lies or doesn't know basic things about it?
@@VictorYarema to blindly follow advice. You should elaborate on your position.
Virtualization can make the boundary between hardware and software fuzzy, wonder how that plays into this. Will a hosted system be able to tell whether it's talking to a real TPM?
What happens when your friendly neighborhood ransomware vendor takes over your TPM? Do you get to use your computer again ever?
The TPM is implemented in hardware and presumably has no persistent storage. There is nothing to take over.
As for VM's there is no real concern. If a guest OS gets pass-through access to a real TPM, great, then the guest OS can enjoy the benefits of increased security. The guest OS is just software running on the host OS. That guest OS can only impact the security of the host OS in the same way that all other software on the host OS could. If the guest OS is only given a software TPM then that could be an issue for the guest OS, but I would wager in most cases the user would be aware of this and the consequences are on the user.
@@Faladrin TPMs do have some persistent storage, but yeah, there's not much to take over on one.
@@Faladrin i thought he meant spoofing the tpm. if the system thinks it's talking to the real tpm but it's really a tricky program taking over the role.
The hosted system is able to know if the TPM is the same as the one before, because it cannot unencrypt without this. Man in the middle attacks are possible, but the TPM can help provide the check to prevent somes. Ransomware have way easier attack vectors than spoofing drivers levels components.
I have Windows 11 running on a VM with not a hint of TPM issues, or from a lack of one.
I feel like what I am hearing is that if my computer dies for some reason, all my data on the hard drive is SoL and irretrievable by software? Am I wrong? If so, I don't want that.
Bitlocker recovery keys save the day, as they always have. And you do want that if an attacker gets your hard drive.
@@enochliu8316 Which negates the security of bitlocker and the tpm a bit, right? It means there is an attack possible from that side. I do have it configured that way, because you can take security so far it totally becomes impractical and prone to what Nezz mentions.
It depends.
The way Apple did it, yes, 100%. It is soldered on the motherboard that that's that.
If your PC has an embedded TPM, then you're in the same boat. If your PC has a separate TPM that you can remove, then you can put it in a new compatible computer and decrypt the drive. Depending on if you enabled secure boot or not, you might even be able to boot into Windows just fine.
In practice with Windows 11, secure boot is also required, so your TPM will refuse to release the keys to your drive.
In the end though, if your computer dies, it is very likely that your drive is to blame. SSDs have write limits, HDDs have mechanical components. Outside of fans and batteries which do not interact with the TPM, they will be the first to fail under normal circumstances. In other words, you should have an (encrypted) offsite backup of your data anyway.
If your HDD die for some reason, all your data are irretrievable ..., If your computer is infected by a ransomware some how, all your data are irretrievable, if ... just do (securly encrypted) backups, and start now 😉
@@LordNementon Negating the security provided by the TPM as those secure backups require the key to unlock them to be stored somewhere in a format that does not rely on the TPM.
Im sure it a dumb question, but if the computer is compromised by Mike, why cant he retrieve the key before it gets sent(or on route) to the TPM to be encrypted?
That's an attack that is possible. but you'd have to have already compromised the system. some of the imporant keys are set up before the system connects to the internet for the first time.
I don't trust the Trusted Computing Group.
Well, you can trust them, but not necessarily the vendors who will build them, again think about the android phones that had viruses on them out of the factory.
The government don't trust us and they ask us to trust them.
Agree
The Free Software Foundation has a much more accurate name: Treacherous Computing.
seems like this could make hardware upgrades difficult/impossible without reinstalling windows
Not if the module is of the plug-in type.
It's really not. All you need to do is backup your windows using your windows 7 backup tool, and then open recovery and then choose restore using image. Might not be exact in the naming sense but you will basically have to do that. And, this is only required if you change your motherboard, otherwise not.
@@SahilP2648 You don't even need to do that. Windows gives you a recovery key when enabling drive encryption. If you change your hardware, you are prompted for the recovery key at boot time. Type it in, it gets stored in the new TPM, Windows boots, job done.
@@t_z1030 oh I see. Nice and thanks.
@@t_z1030 keep your password away from mike
What happens if the TPM chip fails/goes defect, then you can say bye bye to all your encrypted data and DRM licenses, since a backup of the stored secret key isn't supported!?
Then all your data is screwed.
I see a lot of with this TPM. Non-technical individuals are going to put themselves in world's of problems.... :-(
@@ghume79 It's another nail in the coffin of universally usable computers which can run any kind of code that you would like them to run. Look up Cory Doctorow's talk about it, it's almost 10 years old now, but still highly up-to-date in a way...
Windows gives you a backup key, so even if you put your drive into a new computer with a different CPU/MB/TPM you can still decrypt your drive.
@@cronchcrunch Not if the TPM chip itself goes defunct, otherwise they are admitting to having a backdoor.
Fascinating talk! My takeaway is: TPM transforms the task of "hiding" (securing) a single key into hiding multiple parameters. "Mike" has to work harder to determine how many and which key-value pairs are used to seal the TPM key. Because such parameters are set individually on each system, the reward of such labour also diminishes geometrically.
Are we not going to talk about the history of Microsoft pushing the TPM with Palladium back in the Windows 8 days? Yeah? Nah? Okay, cool. Cool.
TPM2.0 required for Win10 certification of new computers, yep.
It's very shady to not discuss the history of the TPM and what the intentions are of those who seek to make it widely available.
@@JosephDavies I didn't really expect a very critical video though when I saw the guest. Still disappointing.
You again? Palladium is not TPM. TPM is an open standard and a general purpose crypto module. Palladium was not.
@@nachik09 haven't we been over this? What does it matter, that the standard is open? Palladium was built on TPM.
2021, the year of the Linux desktop
2019 was my year of the Linux desktop.
@@Roxor128 I've been using linux for years, full disk encryption.
Hallelujah!
This. Can confirm, 5 months of Linux, never been happier, and I've been on Windows for over 20 years, even had the chance to witness the one version before 95, whatever it's called, lol.
@@6500s1 Probably Windows 3.1 if it had sound support. 3.0 if it didn't.
And as soon as pirates find a way to spoof a TPM in software, the whole thing will become just another vulnerability.
Does Intel, or whoever manufactured the chip, potentially have a record of the TPM encryption key?
it's quite plausible
It'd be pretty dumb to generate a key and then just pitch it off into the universe with no backup. Perhaps the client might need it again? Do you trust the bank not to spend your money? Why?
The chip manufacturers already know about all the undocumented processor instructions they built into your CPU that would allow them or whoever else knows about them to access and manipulate every bit of information in every part of memory, cache or register on your system any time they like, so if trusting them is a problem for you I hope you're not using a modern processor.
@@MagicPlants the bank literally does spend your money though, they just don't remove it from your account.
@@MagicPlants I trust the bank to spend my money because that's what they say they will do (hint: You're lending the bank money to do with as they please; you don't have "money in the bank", you have a promisory note from the bank to repay you; for this you used to be provided with 3-4% interest yearly, but now you lend them money for free. Thank the fed or your national equivalent)
Hmmmm just seems like a shell game of pushing the problem until you no longer know where the problem is, but it’s still there.
If my legit software running on Windows can ask the TPM to decrypt the stored key for use, why can’t software that has compromised and gained execute permission on the system also just do that as well: ask the TPM to decrypt?
Some software row hammers or in other ways gains access to a bit of memory it shouldn’t access and now has a key that is TPM protected. What keeps that malware from just using the TPM to decrypt ?
The added points of failure are a bit worrisome because they were not explained: if I get a new motherboard or CPU , now will I. I longer be able to access my encrypted keys ?
I guess TPM is just for preventing various physical methods for extracting keys, as opposed to preventing misuse by the OS itself. If the OS is compromised, there is not much a TPM can do.
@@zyansheep Then it's quite useles. There is low risk that anywone breaks in to my home and tamper with the hardware on my computer, on the other hand it's connected to internet so it could be compromized by software and remote hackers.
And I want to be able to upgrade and repair my computer, tampering with hardware and UEFI settings myself.
@@zyansheep there is something it can do, if the part that got compromised was part of the state you selected (no idea how that part works, maybe it's not doable)
@@lubricustheslippery5028 yeah, i agree. Having a secure (open source) OS which won't be as vulnerable to exploits is much better for most people. TPMs seem pretty useless to the average consumer imo.
Of what encrypted keys are you talking about? Your Bitlocker key? It's not saved inside the TPM, but ciphered with the TPM. You will have a backup of it as every Bitlocker users know.
If your drive is compromised when it is up and running, you drive will be already unencrypted, Bitlocker protect against unauthorized access of lost or stolen drive.
Anyway W11 home users will probably do not have access to Bitlocker, it has so far only be available for Windows Pro users and Microsoft do not have said so far that it will changes
TPM is not only use for Bitlocker. Secure boot it is not an issue, it can always been disabled on BIOS/UEFI in worth of all scenario
Others Windows security features that leverage the TPM, use virtualization to avoid any others software to access it's secrets (you can looks for Windows Virtualization based security), which protect "runtime" internal Windows secrets that do not survive a reboot, btw
8:10 Does this mean that if windows fails to boot and I can't repair it, that I can't restore the data from another install. Does the TPM require the exact install that I had before the crash?
So, with an active TPM, any sort of hardware failure will result in you losing pretty much everything? Be that a TPM failure, or motherboard, CPU, HDD etc. Sounds like a great idea, but also the cause of heartache.
Not necessarily. Most home users don't do full drive encryption. Just because you have an active TPM doesn't mean "whoops, every single byte of data you now have is encrypted now and forever". The Microsoft technology that does this is called BitLocker (can be used in conjunction with a TPM or not). If you have data that is "precious", or "irreplaceable", but not "secret", just store it in a place (or more than one) that isn't encrypted.
one man's heartache is another companies new sale.
If you keep your recovery key, like the Bitlocker process insists you do so safely (and won't even begin until you make a resonable attempt at one method), then you lose nothing.
I've had a hard drive failure eat years of data before. And it wasn't encrypted. Keep backups, multiples preferably.
@@AdamReece87 This process sounds like it will be very easy to teach my grandmother and grandfather. Isn't it great how user-friendly, accessible, and stable Windows is these days?
My question is: aren't we already trusting our OS not to sent your data off to a third party?
What's stopping a malicious OS from just using the TPM to do that?
I suppose the TPM could have a button physically connected to it that needs to be pressed before the chip does anything to ensure user consent. Like on mobile security keys or the Titan M on Pixels.
How many TPMs (particularly on consumer hardware) do that?
And this TPM is of course 100% open source so we can all verify precisely how trustworthy it is and that it doesn't leak any information that is not chosen by us or the NSA, right?
Yep. The reference implementation is BSD licensed.
@@enochliu8316 so you say that preinstalled key is BSD-licensed? Is reference implementation the one an average person will get in their PC? Don't bother answering.
Concept of TPM has been lurking around for a number of years. I seem to remember some years back of claims of TPM posing a threat to Linux or other alternative operating systems.
So if your motherboard dies ur data goes with it, amazing solution 🤮
That's what the backup keys are for. You really DON'T want to loose those, tho. They exist for Linux Full Disk Encryption as well.
@@DFX2KX u cant back up tpm keys as u cannot read them! If the chip is gone all is lost! Luks is perfect dont need tpm
Trust me, if something cant be accessed someone will find a way; it may only be in person but it had to be written to a chip at some point, so it can be read from and rewritten to again.
@@ss-xy2im Bitlocker key are not saved inside the TPM, they are ciphered by the TMP.
The ciphered keys is readable on the disk
Obviously any Bitlocker users will have access and will backup the secret or recovery key of their drive (you can looks on how Bitlocker works for more information)
Bitlocker has always been only for Windows Pro users and will surely not changed with W11
TPM is not only used for Bitlocker (Secure boot, Virtualization Based Security)
So no, you motherboard die, no issue with your drive data
But if you drive die and you do not have backups, yes you will be screwed
@@ss-xy2im Backup key is a second copy of the Bitlocker key that is not sealed by the TPM but usable directly.
I wrote a bootloader that loads encrypted binaries, but only if:
Secure boot is enabled (disabling flips a PCR)
My bootloader is loaded (again PCR)
and my bootloader is signed with my private key (one of the PCR's changes when the secure boot key that's used changes)
Only then will the TPM unseal it's decryption keys which are used to decrypt the binaries, which then load into memory. Before I jump to the OS I extend the PCR'S once more to re-seal the key, and then I boot the system.
So here we are! Boot level DRM... DRM in de deepest layer of your system.
The only person you can trust to encypt your data is your self.
But can you really trust yourself?
It would be great if you could explain how vTPM works on different virtualization stack. Where are those keys stored
I am so friggin glad the commenters are calling out the misleading statements in this video with the shortcomings of TPM systems. I hope the channel editors can learn a thing or two.
Key phrase used there. Make sure your hardware is using "their software", not any software. These TPMs could very easily support secure open source operating systems.
Do they?
This is still just moving the problem. This will be compromised.
Except you are wrong. Perfect security can and does exist. Data transmission by quantum entanglement is a great example but there are easier to implement security schemes that simulate this principle.
@@roberttalada5196 Except, that is also wrong. If someone compromises the supply chain of your quantum entanglement system then you run into the same issue with compromising the TPM.
I don't line up with the negative comments, I feel like lining other peoples pockets and I would like to do it in a Trusted way
Microsoft have been trying to push TPM for decades. It's been revised an poked around with. Microsoft as usual, so keen to make it inconvenient to run anything other than Nauseating Windows and Microsoft applications.
Are there any PCI cards (or USB dongles) out there for TPM 2.0 for motherboards that do not have the plug in location?
I do not seem to be able to find any....
I can see this as a way to lock a program from being modified. If you go to modify a program with mods or to look as the assets or just poke around, the TPM can lock you out of even just looking at it on your own PC.
Ok where do we buy the module ? I've seen a few made in China are those the one?
I still don't want tpm in my machine in regard how it would be implemented by companies that make this chips, what could be inside of them and what proprietary software would run on them
I sense a fello Unix user
@@tanmaypanadi1414 you right
As, I've already said around here, Linux without secure boot is a terribly bad idea ...
Don't make me believe all part of your computer use open sources firmwares ...
TPM is how corporations impose their keys on our systems which we cannot view in order to protect information they want to keep secure, not necessarily for our benefit.
When the key is unwrapped by the TPM, don't you then need to store that unwrapped key in the memory for the duration of the decryption cycle so that the CPU can use that key to decrypt the data? And doesn't this create the same problem again of having the key in memory?
Same thing I was thinking. please let know if you found any further info regarding this.
So now when my motherboard dies I lose access to my entire installation? There should be removable TPMs that can plug into several motherboards to make installations portable between compatible chipsets
Most people will be using removable TPMs.
I have some (hopefully) constructive criticism about the way the first half of this video was done. If you disagree with me please do reply... I'd love to find out if this is just me (I have a question at the end of this comment for anyone reading this)
I liked this video and I understood everything that was explained but that's because I've recently done some casual reading about TPMs and how they're used and about the chain of trust when booting up your OS. So that made it easy for me to follow along with everything in this video because it was mostly just me going "oh yeah, I remember reading that" and just nodding along.
But I feel like a lot of the stuff explained especially in the first 3-4 minutes of the video - where Dr Steve is setting the scene of how different solutions for "keeping the key a secret" are actually just moving the problem up a few layers and **why** we need a TPM - are kind of rushed over quickly in a couple of short sentences with some quick and not very clear (albeit funny) graphics of Mike.
For example: Dr Steve explained how someone could modify the OS to send the key to a malicious 3rd party. Or how the firmware could be modified to skip checks that verify the OS was not tampered with in any way and had malicious code inserted in it (I suppose he's referring to the secure boot feature? Not sure..). All of these concepts were rushed over in a few very quick sentences in one or 2 breaths. Maybe that part of the video could have been explained a little slower so that it could really help the audience understand the problem?... especially audience members who have never even thought about or read about stuff like full disk encryption and storing decryption keys on the system and the different ways someone could try to steal them (and therefore, why we even have things like secure boot or TPM in the first place).
I feel like someone with less knowledge would just be left confused after listening to all of those very quick points and not really leave here with a proper understanding of WHY we need a TPM.
The reason I'm writing this comment is actually because this isn't the first time I've felt this way about a computerphile video. There were a couple of times where I noticed how some arguably important parts of the explanations were rushed/mumbled over with very little diagrams/graphics and it left me more confused and unable to keep following along with the rest of the video because of all the questions in my head. Sometimes the videos just help re-enforce knowledge for someone who already had a basic understanding about the video's topic beforehand, but it doesn't really help someone who's new to the topic understand it very well (unless maybe they re-watch the video a couple of times).
But maybe I'm overthinking this so I have an open question to anyone reading this comment. If you are someone who has a basic understanding of encryption but wasn't really aware of TPM or secure boot or anything else about storing a decryption key safely on a computer... after watching this video, did you feel like it painted a clear picture and answered your questions about what a TPM is and why we need it? Or did you end up more confused than when you first came here.
I know what encryption is, didn't know a lot about TPMs and secure boot and my answers have been answered by this video.
I for one had the intuitive knowledge of what TPM does to Bitlocker, and this video just reinforced and clarified that and allowed me to confirm the fact that the Apple T2 is just a TPM without the TPM API.
Let's be honest, TPM will be used primarily by Microsoft as a copy protection. That's why this chip is required in order to run Windows 11.
Which leads to...
Does a TPM even solve the problem?
What is if the OS doesn't work as intended or has an exploit that makes it not use the TPM? Remember the TPM is used if you don't trust that the OS can keep the key secure, but you can only access the TPM through the OS.
So instead of trusting the OS to keep the key secure you trust the OS to use the TPM without logging the key before the encryption and that the TPM doesn't leak the storage root key or the to encrypt key.
That just creates an extra point of failure.
Also what happens to your keys or encrypted drives if your TPM dies?
You can't access your keys and encrypted data.
You then should use a backup key?
But doesn't make that the whole process obsolete?
Please correct me if i am wrong.
You're not wrong. The key has to be in the clear at some point to be useful, and that makes it vulnerable. This is an attempt to minimize the size of that window, but at the cost of increased complexity and thus decreased reliability. I suppose the counterargument is that secure boot makes a root kit impossible, but I imagine we'll eventually find out that doesn't work either. Remember the speculative execution data leak? The more complicated you make a system the more likely it has a critical failure that you're not smart enough to see.
They are a horrible idea. If that TPM goes belly up, you loose access to all your data. If you don't have your recovery key, or lost it, or forgot the password for your MS account that you only used once 6 years ago, or enabled bitlocker without an MS account (you know, the stuff the average person has not clue how to deal with) .. well then, you've lost everything. And please, don't pretend this is a rare situation. I fix computers for a living. 90% of my customer can't remember a password they created a month ago and we have had 4 failed TPMs this year on computers that were encrypted with bitlocker. Only one of those remembered his MS account password. The other 3 had there lives ruined. Now MS are going to force those people that most vulnerable to enter into this horrible situation. This should only be used by people that have the equivalent of an IT department that can ensure it is employed correctly. A lot of people are going to have a lot of grief going forward. Mark my words.
And what if you can't trust the TPM, the software that is made for it or the actor who generates the root key for the TPM? Clipper chip anyone?
You could say that about literally anything though. Do you trust all the software on your device you used to write that comment? Did any of it leak the keys used for TLS sessions? You probably don't know for sure.
@Matt You don't have to trust anything, your welcome to your choices.
The point I'm making is almost everything we use has cases for and against being trustworthy, and given none of us build 100% of everything we use ourselves we're always going to be putting trust in someone else.
@Matt My point has been that TPM is no worse than anything else. Not intending to be "sneaky" and "dishonest", but I'm sure you'll read between the lines in whatever way you like. :)
It's scary to see how many people have forgotten that the TPM came out of the same era and had a lot of the same supporters.
@Matt No. What he's saying is, if you don't trust the TPM to be not compromised, then you don't trust the manufacturer. If so, why are you using their equipment at all?
To me it looks like I'll remain with Win 10 - but gradually move over to Linux as I get more and more software for it.
Who asked for or wants TPM?
Not 99% of Windows users I bet.
And most of these users already have it anyway. If you have purchased a laptop with Window 10 installed, you have this TPM chip, and you use it all the time.
Linux users asked, want them and use them 😜
I hope for you that you will use it under Linux
windows 11 works fine on a pc with no tpm, if you're willing to jump through a small hoop
Clear and intelligent explanation of TPM. It would seem that it's still vulnerable to a physical attack by monitoring the SPI lines.
Ransomware will love these things.
@Øivin Fjeldstad Single point of failure. If the OS can set keys then there will be an exploit that an do it too. And everything will be gone, instantaneously.
@@fluffymcdeath that is why secure boot is a thing
Is it for security or to force new hardware sales. Will a CPU swap with say Intel PTT (Platform Trust Technology) make Windows 11 unbootable or loose activation.
I want an external TPM like device that works like a real key and lock - a machine only works when I physically plug the device in or NFC and the crypto-key never leaves the key device though it can be duplicated by an authorized third party key service (hardware store key cutting kiosk analog) and the same key can be used on multiple target devices (phone, laptop, desktop etc.) The design of this key device must not allow monopoly capture.
Look up Yubikey
look up USB keys. and the FIDO protocol.
its exactly what your looking for and everyone should have one.
that way lazy peeps can finally stop using the same password for everything!
Also sounds a lot like what systemd-homed is trying to achieve
Yubikey, Librem key, there might be others
This already exists on Linux
Eventually the hardware that the TPM uses needs to be improved. This was one of those cases. TPM version 2
I don't want one. I don't want things keeping me from controlling my own computer. It's a PERSONAL computer. It's not Microsoft's computer - it's MINE. This is a total cop-out. GET YOUR OS RIGHT, GUYS. Come on.
So, you trust those three letters agencies' hold on the manufacturer of those TPM chips? Looks like putting all eggs in an untrusted, private, for-profit, closed-source, faceless basket.
Why not simply have the master "TPM" key never stored, nor pre-allocated, by using an early, low-level, pre-bios/uefi, user-inputted, password? It won't solve all the problems surrounding TPM, but that's a much better way to "store" that key. On top of that, other keys derived from that pre-boot password could be used to encrypt storage and/or memory.
Also, have that temporary master key held in the most volatile, physically hard to access, self-destructing if coerced or probed, isolated memory. Then the problem is no longer in the system, and the tech/system side of it is secure (not the human part though, but that's another can of worms).
So by the sounds of it, a TPM is just a microcontroller running a specialised program?
the design/manufacturing of it is handled in a more "secure" way, similar to other "secure" chips like access passes or bank card chips.
So it's less likely that someone snoops out any security holes, or back doors which they are able to hide because of all the secrecy...
Yeah, pretty much, you could most likely make your own because of the open spec. The thing is that there is physically no way to reprogram them, even if you have acces to the chip (you might be able to open up the IC and program through the die or whatever, but thats another point. It means that even if someone has acces to your hardware you still need to have extra acces to the tpm
@@SebBrosig this is simply not true. Secrecy/obfuscation does not result in better security. The TPM spec is an open spec, which means that anyone can find out how they work. This is in fact why they are trusted: there is no secrecy involved.
It could be just a micro, it is an ASIC of course, but the hardwade isn't some weird obscure hidden thing.
Same with bankcards by the way. Most bankcard specs are pretty well known
@@JoQeZzZ There is also something called fTPM, "Firmware TPM", where the firmware uses security features in the CPU (such as the AMD PSP or something in Intel that I forget) to implement the TPM. The root key is in the CPU itself.
Lol
This is the best explanation of TPM I've seen so far. One thing I still don't understand though is, how does it make it more secure in a practical sense, from a user's perspective?
Welcome to a whole new world of driver errors
and whats to stop a hacker from creating a virus that can access that function or wrapping and unwrapping keys just as a user might, and how about all of us that have no reason to use encryption keys for our e-mail or anything else that I know of. sounds to me like they just kicked the can just a bit further down the road and I fail to see how this is actually any more secure. if you need absolute security then you don't connect the computer to the internet.
TPM keys will be attacked as fast as the blue ray or other systems were attacked. It will be shared between so many companies and people that there is no way to guarantee the needed level of security to avoid determined attackers.
even if that happens, that doesn't reduce your security at all since the wrapped keys are still being stored in your system.
they'd need root access to your system at the end of the day, which is the same as having no TPM.
By this point (2021-07-23 when this video was posted) attacks against TPM had already been done, see Wikipedia. Well, WP lists the ones that we know of, we have no idea what NSA, GCHQ, et al are capable of.
Your TPM's key is only inside your TPM.
An AACS key is inside every copy of that revision of that BD-player.
DVD keys were weak because exporting hardware/software from the US with stronger encryption was equivalent to exporting bombs (PGP was classified as a munition).
Unless you're sharing your computer with millions of people, a key wrapped/sealed by a TPM is about as hard/worthwhile to attack remotely as a key generated from /dev/hwrng and stored in /root/SuperSecretKey, or the encryption keys in your SIM card, or the keys used to digitally sign your passport.
Trusted Platform Module protects computers from unauthorized access, such as when user wants to do something.
Wait, so the interface to the TPM is the OS (which I can't trust)?
just shut up and install the NSA's backdoored chip!!
It is yes, but you can't use the OS to change the TPM software (as far as I know).
@@VincentGroenewold Doesn't matter. The OS could lie to me about everything and not even communicate with the TPM
You have to trust the OS regardless, what a TPM helps with is verifying/enforcing that subsequent boots are running the same OS as when the values were set, even if the computer was booted to some other OS or was potentially tampered with in the interim.
For example Heads is a corelinux based bootloader that checks a PGP signature on the files in the boot partition, and and lets you know if those are still valid. Every time you update verification will fail and you need to re-sign things (the key lives on a security token, e.g. yubikey). If this happens unexpectedly then your computer might be compromised, because something on the boot partition changed.
But that raises the question, how do you trust heads itself hasn't been compromised? For that it uses the TPM to do a measured boot and and seals a TOTP/HOTP secret with it at setup time, that you can put in a phone app. On every boot it tries unseals the secret, and then displays a 6 digit code that you can compare. If the code matches, then you are almost certainly running the same bootloader, and therefore can at least trust that, but if it changed then you know that the computer is compromised and therefore you probably shouldn't enter your disk encryption password.
FWIW that bit is based on Matthew Garret's anti evil maid stuff, I think that was the first thing to implement TPM + TOTP? not sure...
@@forb291 If the OS does not communicate with the TPM, it won't be able to decrypt (unseal) the encryption key, meaning, your stuff will remain encrypted.
Why do you need to have the key stored on the pc?
Hmmm, so theoretically, when TPM dies (by accident 1 week after the warranty ends) , and my hdd or bootup is secured using ... 🤔
at the end of the line you still gotta have a password.
@@stoneskull No
@@stoneskull But if you involve a TPM (or other key-bearing hardware device for that matter), the password is only part of the key material. Maybe that password is used to decrypt the key that is in turn used to decrypt your data. But however it works, if the TPM dies, you can no longer access your data, unless you have it backed up somewhere, either in the clear or encrypted with a key not protected by the TPM. So yeah, a TPM might secure the OS, but as far as I can determine, when it comes to your important data, it's either at the mercy of a piece of hardware that might fail, or not really protected by that hardware.
This has me very concerned.
If a person installs a TPM chip onto their computer and their computer has 1-boot drive, 4 storage drives, 1PCIe USB expansion card, and a graphics card.
If ANY of those hardware changes after the TPM is installed on the system, the owner is completely locked out of their system because the system won't boot.
The TPM checks and makes sure that the same hardware configuration still exist every time the operating system boots and if it does not, then the owner is locked out of their system.
This is horrifying in many ways.
Lets say for example one of the 4 storage drives mentioned above dies or fails. The owner can not boot the system up because the (hardware) itself is not present.
It died or failed. So if a person purchases a new storage harddrive aka hardware and installs it in their system to replace the failed storage drive. The system will not boot.
Because the TPM will see that the system has a new hardware device that it does not recognize that has been added to the system. And the hardware does not match
of that of the original hardware that failed. Thus the TPM will prevent the system from booting at all locking out the owner of such computer.
This is a major problem.
Even if the owner does not have a failed hardware, lets say the owner wants to upgrade their motherboard to a newer version, that the owner has been saving up for.
Its the same brand, manufacturer and type of motherboard, just a newer more up to date version of it. The owner will not be able to boot their system because the TPM
has locked the owner out of the system because there was a hardware change. This is a major major major issue.
It has nothing to do with data stored on a drive as that is a completely different discussion. We are talking about hardware itself. TPM's protects hardware.
And it records the hardware state of the system when you first install and activate the TPM.
So while companies are pushing people to have a more secured system, it also comes with a barrel of nightmares. 🤷♀🤷♀🤷♀
11:11 is the only thing you need to know about it.
Translation: it's got a backdoor embedded in it at manufacture-time that can't be removed or changed, which can be used to read ALL your keys and thus all your confidential data.
You are basically describing an OS, talking to your hardware it is in its core you know ...
My workstation uses a server motherboard so I've had one of these installed for about a decade now...never used it like I should have thanks for this video!
Can't wait until a windows update changes some little detail that affects the system state used by the TPM and breaks all of the encrypted things you had.
Windows update automatically refreshes the TPM state after updates to prevent that from happening
@@jesseweigert6664 but how does windows update know where some of the sealed keys are? If I write my own program which uses the Windows API to have it ask the TPM to seal a key for me and then write that key into the hard Disk, how would windows update know that it needs to refresh that key on the disk as well since windows doesn't check all file I/O to mark any files that look like keys for later refresh?
@@reinei1 I don't know the specific details on how it works, but I do know that the security model in WIndows prevents you from mucking with the TPM directly without invoking UAC.
RIP my old i7 920. I will run you till the end.
Gosh I miss when computers weren't used for extremely sensitive data like your banking and every interaction with the government. There was a time when it didnt really matter that much if your computer had viruses because you didnt use it for anything important and you could just wipe everything and start fresh. Putting our credit cards on our computers was really painting an x on our backs, and now you can't really function without it. Same kind of vulnerabilities we're getting pushed into with every device having camera and microphone built it, just adding more layers of bright red paint to the X and screwing up our choice architectures with our do anything wonder devices.
I really don't like the move by Microsoft forcing TPMs into not only OEM builds but DIY consumers also. Legacy and scarcity doesn't bother me as much as Microsoft forcing a baseline, which other software can then use to enforce DRM/anti cheat/etc - all consumer unfriendly.
Let's be real, the threat model of an end user losing their keys in a software attack compared to a TPM are very close in terms of relative probability. It's simply not an attack that needs to be worried about, and even if it was, users should have the choice to worry about it or not.
Other security measures like HVCI/VBS which actually may have an impact seem to be bundled up with the TPM news, making many people think they need a TPM to get the HVCI/VBS security benefits (which is not true).
What happens when you replace your motherboard (for any reason)? Now you have a new TPM with a new key that you weren't using with all your other things.
Would you mind discussing dTPM and fTPM and their possible attack surfaces like attaching logic analyzer or changing firmware etc. ?
Poor Mike! :)
If anything, poor us; all _our_ keys are pwned :P
No Mikes were harmed in the making of this video…
Their reputations on the other hand… :-)
So basically it's the re-emergence of the 1990's dongle.
IT technology seems to be a series of cycles claiming to be new but really just a slight change of something that was once around a few years ago.
The way they work now TPMs don't protect the end user, they benefit manufacturers and OS makers far more and can easily be abused by then with nothing the user can do about it.
how exactly can they do that?
@@BattousaiHBr Because they control the keys, which determine what is and isn't allowed to happen. You literally have to get a key from Microsoft if you want to install Linux on a computer with secureboot enabled.
@@Razumen how do the manufacturers control the keys, which are stored in your computer?
@@BattousaiHBr Because it only stores them, it doesn't sign them.
@@Razumen you didn't answer the question.
how do manufacturers control the key that is stored in _your_ computer?
i'm assuming you didn't watch the video and just immediately commented here...
8:20 Why isn't if far more likely to change the state of the system beyond recognition by just some hard-to-retrace combination of updates and new software installs - rather than a malicious action? Just a single malicious piece of software may compromise the system and yet I don't see people reverting tens of new updates/programs just to decrypt a folder.
ok but why would I want to use a proprietary chip with severe vulnerabilities and a backdoored RNG algorithm when I could literally just use a password or a USB dongle with my encryption key on it
If TPMs are to become a thing, they MUST have open-source firmware and give complete control to the user. Under NO circumstances should it be possible for software to use the TPM to hide or restrict things from the user. Otherwise it can, and will, be used maliciously to *weaken* security.
Presumably those configuration registers on the TPM are written to at some point during startup. How is this done? It can't be the operating system writing them, because then a malicious operating system loaded on could just lie about them to trick the TPM into decrypting keys it shouldn't.
I was just researching this, I plan to build my own TPM boards, just a single IC and some passives.
Not advisable.
It's not worth the effort. The margins are tiny. The main problem is that your IC will not have shielded memory for physical security like the sort made by microchip.
Also note that you can use the firmware TPM on most processors :)
so my keys can't be unsealed anymore if I upgrade my GPU or flash a new bios version? and all my keys are gone when i upgrade my mobo? @7:05
Yes, but don't worry every piece of software are also aware about that possibility
The exemple in the video, is just an exemple. Bitlocker full disk encryption of Windows kind of works like that, but not totally, users will always have a recovery key to uncipher their data.
In the case of TPM changes, Bitlocker will just ask users to give it the recovery key, to reseal its key in the chip
As btw, TPM is not only made to support full disk encryption, a lot of various security features can leverage on it, and yes Windows has multiple purpose for a TPM (Linux also support TPM, and they are also used in entreprises for years btw)
As for information, Bitlocker has always been restricted to Windows Pro version, and will be for W11 (which is kind of sad imo for home edition users)
So, if you never ear of TPM or Bitlocker before, you will probably not use Bitlocker under W11
Fun fact: In Brazil TPM is how we call a woman's PMS so its a little funny to watch this video thinking about this
Ikr, ahahahahahah
as a brazilian, i confirm hehehehe
So, it basically operates kinda like a sim card or the secure enclave for the iphone, storing secure keys and only giving out wrapped versions (optionally unwrapping the key for authenticated users). Thank you for this clear description. 🙂
It sounds like you can not upgrade things.